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ABSTRACT 
This thesis introduces a program that analyzes network protocols using the 
Communicating Finite State Machines (CFSM) model and the System of Communicating 
Machines (SCM) model. A simple, two machine implementation of CFSM model ts 
initially explored. A number of simple protocols are demonstrated as a means to validate 
the automated tool (program). 
The second model implemented is that of the SCM model. The SCM tool uses many 
of the same data structures designed in the CFSM program . The SCM program 1s validated 
with an analysis of widely used data link protocols. 


Both programs were done in the Ada language environment. 
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I. INTRODUCTION 


** simulations are set up to answer the question, what if...” 


-Hamming, R. W., Future Engineering Practice 
Course Notes, 11 May 92. 


A. BACKGROUND 


The past ten years have seen an substantial increase in the need to communicate 
quickly and reliably over long distances using a wide range of architectures. We, the users, 
live in a “come as you are’ digital society. Access to some sort of network is needed to move 
information from user to user. This movement of information takes place on many 
networks (voice, message, data) and at many levels (physical, data link, network, and 
higher). The networks in. use today tend to be a heterogeneous mix of equipment and 
protocols. We, the network designers/engineers, must allow the user access to the available 
resources at the lowest cost. To do this a firm understanding of how machines ‘handshake’ 
and talk to one another must be realized. This is accomplish by applying protocol design 
principles. These principles can be applied to protocols and studied using a wide range of 
Formal Description Techniques (FDT’s). Examples of existing FDT’s will be reviewed and 
the need for an automated set of tools will also be explored. 

The need for machines to be able to communicate is inherent in any heterogenous 
environment. Machines do this through the use of standardized protocols. A protocol is a 
set of rules that govern the interaction of concurrent processes in distnbuted systems. 
Another widely used definition of.a protocol is, a set of rules used for communication 
between two or more processes connected by a communication network. Hand in hand, 
protocol design and analysis is an important consideration in operating systems, computer 
networks, and data communications. For a protocol designer/architect to build an 


appropriate specification, he must use one of a number of modeling techniques. 


Models or FDT’s of protocols are used for many purposes. They are used to describe 
the protocol unambiguously so that the exact operation is understood by both the protocol 
designer, implementor and user. A model is also used to provide a formal framework for a 
rigorous analysis of the protocol specification. With the advent of internetworking and the 
birth of Integrated Services Digital Network (ISDN), computer protocols have become 
more and more complex. The designer must now develop large sets of rules for information 
exchange that is logically consistent and efficiently implemented. To design a new protocol 
or to implement an existing one into a computing environment gives rise to a need for such 
a tool. 

There are many formal models available to protocol architects. Some of the more 
common models include Petri Nets, Communicating Processes, Communicating Finite 
State Machines (CFSM), System of Communicating Machines (SCM), the Language of 
Temporal Ordering Specifications (LOTOS), Specification and Description Language 
(SDL), and Extended State Transition Model Language (ESTELLE). LOTOS and 
ESTELLE are formal description techniques developed by the International Organization 
for Standardization (ISO) working laterally with the International Telephone and 
Telephone Consultative Committee (CCITT). 

The ISO ts a standards publishing body including the American National Standards 
Institute (ANSI). In 1980, the ISO saw the advantages of standardizing a hierarchy of 
protocol services as a reference model for protocol designers. The model includes seven 
layers: physical, data link, network, transport, session, presentation, and application. The 
layer/class of protocols that will be analyzed in this thesis are the data link layer protocols. 

Each of the models that will be discussed have a means to amplify design principles 
of communications systems{[BART 87]. The first principle is for a model to reflect the 
behavior of the protocol. Behavior is modeled using conformance models, an example 
found in [RAND 92]. Secondly, the model must allow refinement by the user. Safety and 


lively properties should be proven true. And the last principles that must be supported are 


those of concurrency and nondeterminism. A good overview is found in King’s 
article[KING 91]. 

The need for a variety of models is apparent when it is considered that the interaction 
between machines occurs at different levels in the OSI structure and that behavior can be 
quite different among levels and machines. The models listed above will be reviewed in the 
following section. Most of the models have a means to informally follow the design 
principles. Upon close inspection of each FDT it is apparent that no one is perfect for all 
applications. As such, an automated tool will be presented that will make the use of two 
models (CFSM and SCM). The intuitive feel of each protocols coupled with the power of 
automating such a such models will enable the user to fully enjoy the important design 


principle of refinement. 


B. OBJECTIVES 

The objective of this thesis is to present a means of automating two powerful models 
of protocol validation and analysis. The first that was to be automated is the CFSM model. 
The data structures and program entities were developed and verified. The second tool 
automated is the SCM model. Although the SCM used many of the underlying data 
structures and logic of the CFSM, the SCM model is much more elegant and much more 
complex. The output information is provided to the user in an intuitive format. Once the 
‘two models were fully functional, test cases were input to the models to vernfy the 
functionality. Finally, a select number of existing protocols were input and the aialyers 


compared to previous research using a manual method. 


C. SCOPE 

This thesis presents automated implementation of both the CFSM and SCM models. 
The implementation of each model was limited to two machine protocols. The 
specifications covered in this thesis lend themselves very well to the simulation or 


automated analysis. 


The unboundedness properties of CFSM channels are obviously limited to the 
hardware that the tool is run on. A channel can have a bound the size of the largest machine 
register, in the case of the test runs, a SUN SPARC station, the upper bound was that of the 
largest integer(4.294967 x 10° items). 

An analysis of select data link protocols are included to illustrate the use of the CFSM 
and SCM automated models. The specifications will only address procedural rules, not 


formatting of messages. 


D. ORGANIZATION 

This thesis is organized into three sections. The first section includes Chapters II and 
Il. Chapters [I and UI give background cr romeo of pertinent models and language 
considerations. The next section, Chapters IV and V, give a detailed description of how the 
code was implemented to reflect the behavior of the two models. The final section, Chapter 
VI, describes the specifications of Alternating Bit, Go_Back_N, and Selective Repeat 
network protocols. It also describes how the user inputs the information into and receives 
output from the tool. A means for validating each automated model is discussed in this: 
chapter. Finally, Chapter VII includes conclusions made based on the thesis work and 


recommendations for future work in the area. 


Il. BACKGROUND OF MODELS 


A. GENERAL 


This section contains an overview of some existing FDT’s. Each model is a different 
way to represent a protocol design or reflect network behavior. Each has its own inherent 
advantages and disadvantages, of which must be considered before application. Two 
models listed (ESTELLE and LOTOS) are automated. 

The first method of description is Petri Nets. Petri Nets are a graphical representation 
of a systems’s states and state changes. The possible states are captured using places which 
can hold tokens. A particular state is represented by a movement of tokens to states. State 
changes are described using transitions. This can be visualized as being similar to a directed 
graph. The input and output arcs associated with each transition determine how token 
placement changes. The behavior of a system can be determined by examining token 
movement within the net. Deadlock and freedom of livelock are examined in this model. 
The complexity of Petri Net representation. increases with the size of the protocol being 
modeled. A major consideration for using this model is the intuitive feel of a protocol is lost 
on the complex cases. 

Another class of FDT are models is called “communicating processes.” The following 
description is more closely examined in Lundy’s article[LUND 92b]. The elimination of a 
set of global states is done through the use of invariants. Rather than generating the set of 
all possible states, and inspecting them to be sure no undesirable state exists, an assertion 
is made. The assertion states the desired property. It is proven that the protocol always 
satisfies the assertion, this must be proven without having to compute all the possible states 
which might be reached. The communication between processes takes place between 
unbounded FIFO queues. Processes are emulated by use of variables and statements. The 
execution of an action is an atomic event and no two actions may occur simultaneously. 


Since communication between processes can only occur using FIFO queues, actions may 


only follow a given sequence. The SCM model demonstrates how this is characteristic is 
overcome. 

Extended State Transition Model Language (ESTELLE) can describe a system: in 
terms of a set of communicating extended finite state machines through use of FIFO 
channels, similar the to definition of CFSM. This model describes the protocols as a 
collection of modules, each module is an extended FSM having memory-the difference 
between an CFSM and Estelle model 1s that the CFSM model has no memory. Modules of 
an entity can communicate through FIFO channels{[SARI 91]. Messages are exchanged 
between entities as parameters to the modules. Estelle is based on Pascal and the extension 
of the language is a feature available to the programmer/user. The models automated in this 
thesis are similar to Estelle, however, data representation is implemented differently and 
the power of the language implemented (ADA) is utilized. ESTELLE also allows dynamic 
module creation/destruction and transition priorities. A model implementation 
consideration is ESTELLE cannot adequately represent broadcast channels, a shortcoming 
that the SCM model has shown very well suited for, such as CMSA/CD analysis [LUND 
91a. . 

Specification and Description Language was designed and implemented by groups 
SGXI and SGX of the CCITT. It was meant as a tool for the design and specification of . 
telephone switches and their underlying protocols. Currently there are two versions of 
SDL; a graphical tool and a text program tool. Processes are represented by flowcharts, 
which could be concurrent to other processes. The eight traditional flowchart symbols 
represent atomic actions such as intemal events, input and output, boolean expressions, 
wait conditions, statements, transitions, and connectors Each flowchart. has an associated 
channel (queue) used to process messages.The Holzman text [HOLZ 91] includes a more 
specific definition of SDL with some examples. One advantage to this approach 1s the user 
gets a feel, graphically, of the behavior of the protocol. The MESS execution is somewhat 


restricted to the properties that a FIFO queue has. 


The ISO language of Temporal Ordering Specifications (LOTOS) is means of 
representation using hierarchically structured processes. As with ESTELLE, LOTOS was 
also developed by the ISO. A hierarchy of processes can correspond to one entity[SIST 91]; 
a concept that is reflected in object-oriented design environments. Systems represented 
using this model are organized using a set of interacting processes which exchange 
information with each other and with the external systems environment through gates. 
LOTOS is a superset language consisting of an abstract data type language and an algebraic 
notation language, both of which uphold good design principles covered earlier. Interaction 
is synchronous through gates that have a one-to-one mapping to interaction points. 

The tool implemented in this thesis uses the technique of representing portions of 
machine behavior as abstract data types, as demonstrated using. A technique of interpreting 
machine behavior through use of finite state machine representation, as with ESTELLE, 
will also be integrated into the design. Plans for future upgrade of this tool include a 


graphical interface similar to that of SDL. 


B. COMMUNICATING FINITE STATE MACHINES 


One of the first manual tools used for analyzing communication protocol behavior was 
the communicating finite state machine(CFSM) model. This modeled each machine in the 
network as a finite automaton, or finite state machine, with communication channels 
between pairs of machines modeled as one-way, infinite length FIFO queues. There has 
been a great deal of work in this area, a few include [PENG 91], [VUON 83] and [RUDI 
83]. The model is defined for an arbitrary number of machines; however for simplicity sake 


will be presented as a two machine model as shown in Figure 1. 


Figure 1: CFSM, two machine behavior representation 





In this section the CFSM model will be defined [GOUD 83]followed by a simple 
protocol analysis to illustrate the model. 

A communicating machine M is a finite, directed labeled graph with two types of 
edges, sending edges and receiving edges. A sending (receiving) edge is labeled ‘-g’ (‘+g’) 
for some message g, taken from a finite set G of messages. One of the nodes in M is 
identified as the initial node, and each node is reachable from the initial node by some 
directed path. A node in M whose outgoing edges are all sending (receiving) edges is a 
sending (receiving) node; otherwise the node is mixed node. If the outgoing edges of each 
node in M have distinct labels then M is deterministic; otherwise M is nondeterministic. The 
nodes of M are often referred to as states; the two terms are used interchangeably. 

Let M and N be two communicating machines having the same set G of messages; the 
pair (M,N) is a network. A global state of this network is a four-tuple [m,c,,,,c,,,n] where m 
and n are nodes (states) from M and N, and c,, and c,, are strings from the set G of messages. 
Intuitively, the global state [7,c,,,c,,n] means that the machines M and N have reached 
states m and n, and the communication channels contain the strings c,, and c, of messages. 
Channel c,, contains the messages sent from M and N, and channel c,, the messages sent 
from N to M. The string c; will be referred to as channel c;. 

The initial global state of (M,N) is [m,,£,E,n,], where m, an n, are the initial states of 
M and N, and E 1s the empty string. 

The network progresses as transitions are taken in either M or N. Each transition 
consists of a state change in one of the machines, and either the addition of a message to 
the end of one channel (sending transition) or the deletion of a message from the front of 
one channel (receiving transition). 

A sending transition in M(N) adds a message to the end of channel c,,,(c,,); a receiving 
transition in M(N) removes a message from the front of channel c,(c,,). 

If s;=[m,c;,c;,n] is a global state of (M,N), and state 52 follows 5, if there is a transition 


(in M or N) which can be executed in s5;, such that the resulting state is s>. A state 52 1S 


reachable from state s; if there is a sequence of states 5;,5;47,....5j4p Such that si follows 7, 
5j+ follows s;, and so on, and Sz follows s;,,. A state s is reachable if it is reachable from 
the initial state. 

The communication of a network (M,N) is bounded if, for every reachable state 
[71,C»Cp,7] there is a nonnegative integer k such that |c,| <k and |c,| sk, where {ci denotes 
the number of messages in channel c. 

A reachability graph of a network (M,N) is a directed graph in which the nodes 
correspond to the reachable global states of (M,N), and the edges represent the follows 
function, such that there is an edge from state 5; to state s;, if and only if, s; follows s;. The 
edges are labeled with the transition which they represent. The reachability graph can be 

generated by starting with the initial state, and adding the states which follow it, connecting 
them to it with edges; dnd repeating for each new state generated.An overview of the 


functional units of the CFSM model is shown in Figure 1. 


Machine 1 


FSM ! 


Global 


Machine 2 Reachability 


FSM 


Analysis 





Figure 2: CFSM model representation. 


A global state [m,c,,,c,,n] is a deadlock state if both m and n are receiving nodes, and 
Cm=C,=E, where E denotes the empty string. 
A global state [m,c,,,c,,n] is an unspecified reception State if one of the following two 


conditions are true; 


(1) m is a receiving state, the message at the head of channel c, is g, and none of MS 
outgoing transitions is labeled ‘+g.’ 

(2) nis a receiving state, the message at the head of channel c,, is g, and none of n’s 
Outgoing transitions is labeled ‘+g.° 

A simplified version of the stop-and-wait data link protocol will be analyzed as an 
example of analysis with the CFSM model. The interfaces between layer 6 (user)and layer 
2 (data link) of the Open Systems Interconnection (OSI) model is transparent in all the 
examples addressed in this thesis. An assumption is made that the higher layer has passed 
the information/frames without error. The frames at each layer have accomplished the 
appropriate concatenation of header and address information. So, at layer 2, this protocol 
consists of two distinct entities, a sender and a receiver. Machine one serves as the sender 
and machine 2 serves as the receiver as shown in Figure 3. The sender places a frame on 
the channel to the receiver. The receiver senses a frame on the incoming channel and 
accepts the message from the channel, removing the message from the incoming channel. 
The receiver then sends an acknowledgment packet to the sender. The sendér senses the 


acknowledgment packet and is clear to send another frame of information to the receiver. 


Machine | Machine 2 
ie +A +D -A 


Figure 3: CFSM specification for stop-and-wait. 


The finite state machines in Figure 3 represent the behavior of the definition of the 


stop-and-wait protocol. The -D represents sending data, +D, receiving data, -A, send 


acknowledgment, and +A, receive acknowledge. As per the definition of the CFSM model, 
there is two channels, one from machine 1| to machine 2 and one from machine 2 to machine 
1. The notch on state 1 of both machines represents the initial/starting state. 

The global reachability analysis graph shown in Figure 4 is free from deadlock, 


unspecified receptions, and unexecuted transitions. 
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Figure 4: CFSM, global reachability analysis, stop-and-wait. 


This model has many desirable features as well as some disadvantages that are 
improved in the SCM model. The one glaring disadvantage is that the analysis might not 
terminate if the queue length is unbounded. The number of global states in Figure 4 is 
trivial, but for complex specifications the number of states will lead to a combinatorial state 
| explosion. This is even true when the queue length is very restrictive. As pointed out in 
[LUND 91b], the specification of a practical protocol can be so complex, containing 
hundreds of States and transitions, that the user can not be sure of the intended specification 
or grasp the intuitive feel for what the protocol is intended to do. This model has the 


advantage of simplicity and a method of analysis that can be easily automated. 


C. SYSTEM OF COMMUNICATING MACHINES 

In this section the model used to specify and analyze protocols is briefly described. A 
more detailed description appears in [LUND 91a] . Following the definition of the model 
will be an analysis of a simple protocol to illustrate the model. 

A system of communicating machines is an ordered pair C = (M,V), where 

M=(m),mp,...,.m,} 
is a finite set of machines, and 
V=(V7,V2,...Va} 

is a finite set of shared variables, with two designated subsets R; and W; specified for each 
Machine m;. The subset R; of V is called the set of read access variables for Machine m;, 
and the subset W; the set of write access variables for m;. 

Each Machine m; € M 1s defined by a tuple (S;,59,L;,N;,T;), where 

(1) S; is a finite set of states; 

(2) sg € S; is a designated state called the initial state of m;; 

(3) L; is a finite set of local variables; 

(4) N; is a finite set of names, each of which is associated with a unique pair (p,a), 
where p is a predicate on the variables of Liv Ri and a is an action on the variables of 

Liv Ri UWi © 

(5) T;: Six Ni— Si is a transition function, which is a partial fanenon from the states 
and names of m; to the states of mj. 

Machines model the entities, which in a protocol system are processes and channels. 


The shared variables are the means of communication between the machines. Intuitively, 


R; and W; are the subsets of V to which m; has read and wmnite access, respectively. A 


machine is allowed to make a transition from one state to another when the predicate 
associated with the name for that transition is true. Upon taking the transition, the action 


associated with that name is executed. 


12 


The set L; of local variables specifies a name and a range for each. The range must be 


a finite or countable set of values. 

A system State tuple is a tuple of all machine states. That is, if (M,V) is a system of n 
communicating machines, and 5,, for 1<i<a, 1s the state of Machine m,, then the n-tuple 
(57,S2,..-:5p) 1S the system state tuple of (M,V). 

A system State is a System state tuple together with its enabled outgoing transitions. 
Two system states are equivalent if every machine is in the same state, and the same 
outgoing transitions are enabled. 

The initial system state is the system state such that every machine is in its initial state, 
and the enabled outgoing transitions are the same as in the initial global state. 

The global state of a system consists of the system state, plus the values of all 
variables, both local and shared. The initial global state is the initial system state, with the 
additional requirement that all variables have their initial values. A global state 
corresponds to a system state if every machine is in the same state and the same outgoing 


transitions are enabled. 
Let T(5;,n) = Sz be a transition which is defined on Machine m;. Transition T is 
enabled if the enabling predicate p, associated with name n, is true. Transition T may be 


executed whenever /m; 1s 1n state 5; and the predicate p 1s true (enabled). The execution of 


T is an atomic action, in which both the state change and the action a associated with n 


occur simultaneously. The format for the associated predicate-action table is shown in 


Table 1. 
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GLOBAL_VARIABLE 


Machine 1 Machine 2 


local variable local variable 





Figure 5: SCM, two machine behavior representation. 


TABLE 1: SCM, two machine predicate-action table format. 


Transitions Values of variables that must The local and GLOBAL variable 
for Machine 1 | hold true for the transition to be | behavior when the transition is 


enabled. taken. 
Transitions Same as above. Same as above. 
for Machine 2 


Note that if the values of all variables are restmcted to some finite range, then the 





model can be reduced to a simple finite state machine. Otherwise an infinite number of 
global states are possible. However, even if the number of global states is infinite, the 
number of system states is finite, because of the finiteness of each machine. This may allow 


a reachability analysis on the system states, when a reachability analysis on the global states 


is infinite. General behavior of the SCM model is shown in Figure 1 and the general SCM 
model representation is found in Figure 1. 
Machine 1 
Global 
FSM Reachability 
Analysis 


Machine 2 


SCM 


Predicate 


Action 
Table Analysis 





Figure 6: SCM, general model representation 


The stop-and-wait protocol will also be used to demonstrate the analysis using the 
SCM model. The stop-and-wait protocol specification is the same as defined in the previous 
section. The specification as represented by the SCM model is shown as a set of finite state 
machines and a predicate-action table. 

The finite state machine representation for the SCM model is similar to the CFSM 
example. Again this protocol is only demonstrated with two machines. The FSM’s are 
shown in Figure 3. Also shown are the local and global variables. The local variables in 


Machine 1 and 2 can have the values of D(data), A (acknowledgment), and E(empty). The 


initial value for out_buffis D and the initial values for all other variables is E. The system 


global variable, CHAN can have the same values as the local variables. 


Machine 1 Machine 2 
SS ae i} 
-D RET +D 


Figure 7: SCM specification for stop-and-wait, finite state machines and variable 
definitions. 


. The predicate-action table is shown in Table 2. For this example the assumption is 
made that data is always made available to the CHAN from out_buff. 
TABLE 2: SCM specification for stop_and_wait, predicate action table. 


eee. uIRGHaN=in/\ EA w_ a. . = out_buff 
out buff /=E 
RET=A RET :=E 

| CHAN :=E 





The global state reachability and system state reachability graphs are found in Figure 
4 and Figure 4. The format for the global state tuple of the stop-and-wait protocol is: 


{ Machinel_state, out_buff, CHAN, RET, in_buff, Machine2_state ] 
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_~ 
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Figure 8: SCM, global reachability analysis, stop-and-wait. 


The format for a system state tuple for all cases of analysis is: 


[ Machinel_state, Machine2_state ] 
Os, 
-D 


[1,9] 


{+p 


Ligh ou la 
-A 


fet 0F 
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Figure 9: SCM, system reachability analysis, stop-and-wait. 
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The SCM model has desirable properties found in the CFSM model as well as 
overcoming some of the inherent disadvantages of the CFSM model. In the SCM model the 
behavior of the protocol can be clearly and quite adequately represented, maintaining an 
intuitive feel of the specification. The SCM model can ameliorate the combinatorial state 
explosion through the use of system state analysis, greatly reducing the generated states. 
Instead of implicit queues, shared variables are used for communications between 
processes. This allows communications between machines in non sequential manner, 
unlike a FIFO queue representation in the CFSM model. 

The final advantage is the nature of the SCM’s representation of a protocol gives it 
the feel of a programming language. Although more complex to program than a CFSM 
model, the actions associated with the FSM and the predicate-action table lend themselves 


to automated implementation. 


D. LANGUAGE CONSIDERATIONS 

Which language should the CFSM and SCM models would be implemented in? 
Before all the available languages were researched, a list of desirable properties that the 
language must have (specific to the models), was developed. After a close inspection of the 
definition and nuances of the CFSM model, SCM model, and the reachability analysis 
generated, there were a number of language properties that were found desirable to this 
project. 

The language properties should support hardware and software design issues. The 
code must be portable from one architecture to another. The language should have a means 
to create different class instances from a base class. An intuitive means to provide 
meaningful output of the analysis and programming error messages to the user enhances 
the program’s utility. Since the program must simulate network specifications there is an 
inherent need to be able to do multiprocessing or multitasking in the programming 


environment. The language of choice should enforce the rules of strong typing, that is not 


allowing mixing of types and subtypes. The final property of the language should be its ease 
of use and understandibility. 

The language of choice should be portable between different machines. It cannot be 
assumed that the user has access to a mainframe computer or workstation. The language 
should be compilable on a machine as small as a personal computer. 

Implementation of the models should help the user to avoid and detect mistakes. The 
environment should prompt the user when a syntactical or semantic error is made. The error 
messages should be meaningful. Inherent to this requirement, the language should enforce 
strict definitions of atomic aenites such as data structures. 

Dynamic list creation /deletion are necessary in reachability graph construction. This 
allows flexible and ultimately limitless (hardware specific) analyses to be done. Linked list 
creation and traversal should make use of reusable programming units. The logic for 
creating new nodes should allow the program to ‘remember’ where the last node was built. 
This-should be done automatically, without user intervention after compile time. 

An important property, although subject to varying opinion, is ease of use. The project 
is developed in one language, but the human interface to the underlying code must be 
understandable and intuitive. Hand in hand with ease of use, is ease of maintainability. 
There should be enough on-line and off-line help to allow the user to navigate the the user 
interface. An understandable debugger was also a factor in the choice. 

Ada was chosen because it supports the above mentioned properties. It is a language 
that 1s portable between different architectures. It supports generic class creation and 
instantiation. Through the use of predefined input and output packages, the user is allowed 
to build a suitable interface environment. With the use of exception handling meaningful 
error messages can be created and employed. Ada also has the ability to multitask, 
simulating parallel processing. Finally, Ada is easy to use. The code can be read by a novice 
and understand what is meant to happen. 

The language of C/C++ was not chosen due to a few limitations. At the time of this 


writing it could not support multitasking needed to simulate concurrency or broadcast 
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networks. It was also difficult to do generic-like coding. The object orientation of the 
design lent itself very nicely to the structures used in the CFSM and SCM model as covered 
in [RUMB 91]. It became apparent that there was reused code that would have been more 
efficiently implemented with generic data structures. Although it could have been done 
with the use of macro-like instructions, generic packages made the project more compact 
and efficient. Generic package creation and instantiation was not supported by the current 
version of the C/C++ compiler. The C programming environment does not support 
exception handling; programming error detection messages were vague and could not be 
developed by the user. A good means of automatic implementation of error messages in the 
C++ environment was not available at the time of this publishing. Ada could do this 


through use of exception handling. 
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iI. APROGRAM FOR GENERATING A CFSM REACHABILITY 
ANALYSIS 


In this chapter the organization of the CFSM program will be described. The means for 
input, Output, and reachability analysis will be highlighted. Excerpts of the underlying code 
will be accompanied by a brief explanation. The formal definition of the CFSM model 


found in Chapter II is the basis for constructing the program. 


A. PROGRAM STRUCTURE 


The structure of the CFSM program is based on functional units (objects) of the 
general CFSM model. The data structures of the basic objects must represent 
communication channels, machine states, transitions, and a means for capturing global 
tuple (state) values. In addition to constructing the fundamental data structures, there must 
be an intuitive input mechanism for the FSM’s and an understandable display of the 
analysis. 

Implementation details should be hidden from the user. Operations such as loading the 
CFSM into memory, performing a reachability analysis, constructing the slobal 
reachability graph, and traversing the graph during searches/output are independent of the 
specific protocol to be analyzed. 

The program consists of input related procedures, a reachability analysis, and output 
procedures. To help manage such a complex and large programming project, separate 
compilation units were used. The compilation units were physically grouped by file 
according to the function it performed as shown below: 


TABLE 3: a compilation units. 


readin file in_file fread_in_file  § =——| parse text parse textinput file =| [parse text input file | 
load_machine_array builds machine adjacency 
lists from parsed file 
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build_Gstate_graph builds global reachability reachability.a 
. analysis graph 


‘clear_pointers clears values for another _| reachability.a 
input file 

search_for_tuple performs BFS search of search.a 
graph 
compares global records search.a 
for equality (similar to =) 


output_Gstate_node format for node output 


output_Gstates traverses graph and outputs 
nodes and transitions 
output_machine_arrays format output of contents output.a 
of adjacency lists 
create_output_file creates file for analysis out- 
put. 


This use of separate subprograms(compilation units) facilitated the development of the 


SCM program from existing CFSM code. 


output_Gstate_transition format for transition output pouputa 





The behavior at run time is shown in Figure 10 and associated files of the CFSM 


program are shown in Figure 11. 
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Figure 10: CFSM nun time behavior 
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Figure 11: CFSM compilation units. 





| During the design phase of the program it became apparent that some software 
components and structures were used more than once. For instance, when doing a 
reachability analysis many types of stacks and queues were used. Although the underlying 
data types were different, the algorithm for each structure was exactly the same. To increase 
efficiency, generic. packages were used. Generic units are defined as a reusable software 
module or a program unit template [GONZ 91]. 

The implementation of stacks and queues is accomplished using generics. For 
instance, within the program there is a need for a queue of characters representing the flow 
of information on the channels between two machines. To assist in the construction of the 
reachability graph there needs to be a queue of pointers to graph nodes (see Section C). 
Each type of queue has some common procedures and functions. Each needs procedures to 


clear the queue, enqueue, and dequeue. Each must also have functions that return the value 


ZS 


of the first item of the queue, determine if the queue is empty and determine if the contents 
of two queues are equal. If these common functions and procedures had to be rewritten with 
a different underlying data type, the number of compilation units as well as the object code 
would increase; thus the user would be saddled with more ‘waiting’ time. 

The protocol environment can be modified by using generic parameters. The generic 
package, queues, has two parameters to the object- the item type and the maximum size of 
the queue. This allows the user to define what type of items are contained in the 
channel(queue) and how big the channel(queue) can be. Two instantiations of queues in the 
program are: 


package queue_pack is new queues(character, MAX=>3); 
package Gpointer queue pack is new queues (Glink_type, MAX=>10); 


The queue_pack package defines a queue of characters. A ceiling or bound can be placed 
on the amount of widenees on a channel. If an unbounded channel is to be simulated the 
maximum allowable integer can be given. The pointer queue Gpointer_queue_pack gives 
the user a means to determine the maximum size of a reachability graph. Although, in the 
general case, a large number is preferred to allow all tuples (states) to be generated in a 
protocol reachability graph. The generic package stacks was implemented in a similar 


fashion. . 


B. INPUT 


An important step in designing the CFSM and SCM programs is developing a 
meaningful method of inputting the finite state machines. The graphical representation of 
a simple FSM conveys a behavior associated with a protocol specification. A means to 
transfer this graph into a data structure that can be used in the reachability analysis was 
developed. 

The FSM’s were input as a text file. This file is built by the user with a set of language 
rules similar to Backus-Naur Form (BNF). The input file is parsed one line at a time. Each 


line is read into a line buffer and tokens formed according to the rules defined below. From 
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the tokens, an internal data structure is generated to represent the set of finite state 


machines. The list of valid instructions for finite state machine input is: 


start 
machine 
state 


initial state 


trans 
finish 


<natural> 

<natural> 

<natural> <natural> 

<-|+> <albl.../zJ/JAIB|...|/Z> <natural> 


The tokens are Cast into either enumerated types (instructions) or integers (integer 


variables). The integer variables have been formally defined within the main procedure in 


Appendix A. 


The meaning of the instructions are: 


start 
machine 
state 
‘ initial state 


trans 


. fonash 


Serves as a beginning flag for the file. 
Defines the current machine. 

Defines the current state. 

The intitial/start state for 

machines ohe and two. 

Transition type, transition 

message, and next state. 

This token serves as an ending flag for 
the file. 


Representation of a finite state machine using the above convention has some inherent 


constraints. Since an input token, such as the transition -D, cannot be directly caste into an 


enumeration token (no special characters at the beginning of a token), the (-,+) must be 


converted separately to (snd,rcv) tokens. The use of alphabetic characters to represent 


messages in a channel, limits messages to 52 distinct types (a..z,A..Z). The input file for 


Stop_and_waitis: 


Start 
machine 1 
state 0 
trans -D l 
State l 
trans +A 0 
machine 2 
State 0 
trans +D 1 
State l 
trans -A 0 
initial state 0 0 
finish 
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The data structure representing the CFSM is then used to construct a reachability 


analysis graph. The two data structures that support directed graphs (or finite state 


machines) are adjacency lists and adjacency matrices. Since the use of adjacency matrices 


to construct directed graphs can lead to wasted hardware memory, adjacency lists (one 


dimensional array of linked lists) were implemented. 


The data structure to build the adjacency list and the constraints are: 


type 
type 
type 
type 
type 


machine array record type; 

Mlink_type is access machine array record _type; 
cfsm_transition_type is (snd, rcv, unused) ; 
executed _ type is (yes,no); 

machine_array record type is 


Eecord 
transiztion : cfism_transition_type; 
message : character; 
next_state > natural; 
executed ; executed type; 
Mlink : Mlink_type 


end record; 


type 
type 


machine array type is array(positive range<>) 
of Mlink_type; 

system_array type is array(1..2) 
of machine array type; 


Some data structures shown above are peculiar to Ada. Access types are data types that 


provide an access (“pointer’’) to an object of another type or subtype. It reserves storage 


locations during the execution of a program dynamically by use of a memory allocator. A 


record type is simply a collection of elements where each element is referred to by its name. 
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The array of linked lists is defined as an unconstrained array; whereas, at compile time, the 


number of machines is set at two. To illustrate the finite state machine data structure the 


CFSM stop_and_wait protocol is shown in Figure 12. 
Machine 1 





Machine 2 


| transition __|srev_| 
[message ss | DD 
next state | 
pexecuted | no_| 
/Miink | 


| transition __|_ snd_| 
[message | A 


_next state | 0 
Lexecuted ss |_no_| 
[Mink | 

























State 





Figure 12: Finite State Machine representation, stop_and_wait 


C. REACHABILITY ANALYSIS 
In order to determine if all states in a network are reachable a graph is constructed. 
After the textual representation of the CFSM is input, the adjacency lists are constructed as 


described in the previous section. The initial states for each machine indicate the starting 
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position of each list. From the lists a directed graph is constructed. It is from this directed 
graph that deadlocks and unspecified receptions are sensed and the appropmate output 
message 1s displayed. 


The algorithm to construct the global reachability graph 1s: 


loo 
. for machinel array _indexin 1..rowsize loop 
if machinel (array_index).transition=snd or 
machine 1(array_index).message=top_of.queue21 then 
make temp GsState record 
search list for Gstate record 
if found then link current to found state 
else make new node and link into Gstate_graph 
and push pointer onto pointer stack 
else none_found 
end loop 
for machine2 array_index in 1..rowsize loop 
if machine2 (array_index).transition=snd or 
machine2(array_index).message=top_of.queue]2 then 
make temp Gstate record 
search list for Gstate record 
if found then link current to found state 
else make new node and link into Gstate_graph 
and push pointer onto pointer Stack 
else none_found 
end loop 
if stack is empty then 
raise STACK_EMPTY 
else 
pop last Gstate 
end loop 


The initial global state tuple (node) is created from the starting state of each machine’s 
adjacency list. From the top node, tuples (global states) are added to the graph using the 
reachability algonthm. The algonthm shows the graph being constructed with stack based 
implementation, allowing a breadth first construct. The option is given to the user to 
construct the graph depth first. A case statement is used to toggle between stack or queue 
procedures/functions (this is not shown in the algonthm above.) Figure 13 shows the 


internal representation of the global reachability graph for the stop_and_wait protocol 
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top_Gstate [number | 0 
= _machinel state | 0 
© | machineZ state {| 0 __| 

_ queue 12 00nd 


| Gtransition _|_ snd_| 
| Gmessage | D__ 
mew node |_yes_| 
|Gink 






















queue Zt nll 
_link tole lolo 


machinel state [| I | 
machine2 state | a 
| queue 12 | UD 












[queue 21] nll 
Llink tol iole: 





| Gtransition | rcv 
| Gmessage | =D 






|new node | yes _| 
Glink | 


Gtransition 










machine! state ae ee 
machine2 state Sra 
| queue 12s] snyll | 


Tqueue ZT nul 
_link oie igi’ 










|Gwansition __|_snd_ 
[new node____{_yes_| 
(Glink | 










[|mumber | 
_machinel state | 
| machinez state | 
_queue 12 | nll 








| queue ZIT A 
pink ll loioy 





Figure 13: CFSM internal reachability graph, stop _and_wait 
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-new node | no | 


Note that when a tuple is generated a data structure representing a transition and a node are 
separately added. The field new_node was included in the transition structure to allow 
proper traversal of the graph. The current version of the program allows for four transitions 
from each tuple. This can be expanded upward if needed. 

Exception handlers were used to maintain control in the reachability graph 
construction. Whenever a queue or stack 1s empty the control is handed to the exception 
handler to continue program execution. The exception handlers allow definition of specific 
error conditions to be sensed and appropriate action taken. 

During graph construction, global state tuples are identified that satisfy the deadlock 
and unspecified reception properties. If a global state node has only receiving transitions 
from it and both the queues are empty, a deadlock message is displayed to output. If the 
global state node has outgoing receive transitions and the head of the respective queue does 
not match the receive transition (assuming the queue(s) are not empty) then an unspecified 
reception message is displayed to output. When the construction of the graph is complete 
the adjacency lists are checked for any unexecuted transitions. The contents of the lists are 
displayed after the output of the graph is done. Unexecuted transitions are identified by the 
execution field, with a no entry. For an example see Figure 15 

Upon completion of the reachability graph construction, a pointer to the top global 
State node is passed to the output procedure. 

When constructing a reachability graph there are two factors that need to be 
considered- run time and the size of the graph generated. As noted earlier, a ceiling can be 
placed on the size of the graph by the user pnor to compilation. Ideally, a specification can 
be input to the program and an analysis could run for as long as needed (perhaps days); 
however, most computer systems are limited by storage. The question of storage capacity 
is left to the user of the program. A determination must be made as to how large a graph to 
anticipate (worst case is the largest integer represented on the register) and how much 


storage space can the underlying system provide. 
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The design of the program addresses the issue of running time. The running time, or 
complexity, of the reachability analysis is dominated by the algorithm that governs the 
directed graph traversal. All traversals are done in both models (CFSM and SCM) in a 
recursive, depth first manner. The complexity, or big O notation, for traversals of a directed 
graph can easily be defined. Consider a reachability graph G=(V,E) consisting of a set V of 
vettices(nodes), and a set E of edges(transitions). Each edge corresponds to a pair of 
distinct vertices in the directed graph. The running time or complexity of such a graph 
traversal is proven by induction to be O(IV! + IEl). A rigorous proof of the complexity 


appears in [MANB 89]. 


D. OUTPUT 

The output procedure for the CFSM tool displays the reachability graph and 
associated messages to both a text file and the default output device. The output procedure 
has as a parameter a pointer to the top global state (node). From the top node the graph is 
“traversed in a depth first manner and saved to an output medium. The contents of the 
adjacency list are also displayed to output providing a means to cross check the CFSM 


construction and identify unexecuted transitions as shown for stop_and_waitin Figure 14. 
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REACHABILITY ANALYSIS of : stop_and_wait 


1 (0, E~Eeg0s) PC1,0,E,90] 2 
2 (C2, Digeget , 0] +) C igee we, 1) 3 
3 ( 1 ? E ? E e 1 J -A [ 1 e E e A ? 0 J 4 
*  € 1b ao) a €0,E,E,90] - 

| Machine 1 Array Contents | 

| From | To | Transition | Executed | 

[0 [Pet I snd D | yes | 

ie TOR rev A | yes | 

Machine 2 Array Contents | 

| From | To | Transition | Executed | 

0 ae rev D | yes l 

Die Nii ae snd A | yes | 


* The nodes generated by the analysis 
were done in a breadth first manner 


Figure 14: CFSM, analysis output, stop_and_wait 


To illustrate the formatting of the model’s output an example is presented. Assume 


that a CFSM exists reflected by the following specification: 


Machine 1 _ Machine 2 
+X 
+A og ao 
+B 1X 


The input file is: 


a2 


start 
machine 1 
state 1 
trans -D 2 
state 2 
trans +A 1 
machine 2 
state 1 
trans +) 2 
state 2 
trans -A 1 
initial_state 1 1 
Finish 


The output file reflecting deadlock, unspecified receptions, and unexecuted transitions 


is shown in Figure iy 


REACHABILITY ANALYSIS of : deadlock_example 


loeweel, E,E, 1) Rigi. 7 eke Evel «) 2 
=) &l .&, 8B, 3 J 3 
2a kee, 1 id =) {2 ,% > Bras) 4 
*X ( 2, Eee eee a 
Z C2,6,E6,2 )] —-eemrsn_DEADLOCK Condition **miccxnnx 
Sut ieee, 2, 3 =“ € 2 7-032 34) 4 
— aE 2k» B, 3] Mm €2,6,8, 2a 5 
D@mtee, © 5D, 1) ~Bipie2., 6 42BB 4-32) 6 ; 
Sees Jc , Bp 7 3 ) whmake Unspecified Reception kssm 


| Machine 1 Array Contents 


| From t To t Transition | Executed | 
Leste = 2 | snd X | yes | 


eee I rev A | no | 





| Machine 2 Array Contents 








| From | To | Transition ! Executed | 
[ee eal [ina 5 | snd B | yes | 
Pt ie rev X /| yes | 
ee ees rev B | no 
ms de 1 | rev X | yes | 


% The nodes generated by the analysis 
were done in a depth first manner 


Figure 15: CFSM, analysis output, deadlock/unspecified reception/unexecuted transition 
example. 
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IV. AN AUTOMATED TOOL FOR SCM REACHABILITY 
ANALYSIS 


In this chapter, a program is introduced that automates the SCM model . It provides 
an intuitive environment to input a protocol specification and receive the analysis in an 
understandable format. Since the model only uses variables and finite state machines to 
describe a protocol’s behavior, it 1s considered an approximate model. There are certain 
details of protocol design, such as message and header format, that are abstract from the 
analysis. The succinctness of a protocol representation helps analyze the logic and structure 
without getting lost in a myriad of detail. 

| The organization of this program is similar to that of the CFSM program. A means for 
input, output, global reachability analysis, and system reachability analysis are highlighted. 
Excerpts of the code are accompanied by a brief explanation of: structure and 
application. The formal definition of the SCM model found in Chapter II is the basis for 


—— — 


constructing the program. 
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The protocol specification and analysis of the stop_and_wait data link protocol will 
be used throughout this chapter to demonstrate the interface of the program to the user. The 


specification for the sample protocol is shown in Figure 16. 


Machine | Machine 2 
EP PP _ (0) 
xmt RET ICV xmt 


may (Sf om 2 


xmt_ ac cL EA a = out buff — 
out buff /=E 
rcv_ack RET=A RET :=E 
CHAN :=E 


CHAN |= E in_buff := CHAN 





Figure 16: SCM, specification for Stop_and_wait. 


A. PROGRAM STRUCTURE 

The structure of the SCM program is similar to the CFSM implementation. There must 
be a means for input, output, and reachability analysis. The input is more complex because 
not only must the FSM’s must be entered, but also variable definitions and the associated 
predicate-action table as shown in Figure 16. The input can be viewed as hierarchical. The 


global and system reachability analysis are performed using different algorithms and are 
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described in later sections. The code for producing output is identical to the CFSM program 


with some addition to allow the user to tailor variable output. 


Text File (FSM’s) : 


Global and System 
Reachability Analysis 





Variable Definitions 


a 


nna aoe 


Predicate-Action 


Figure 17: SCM run tme behavior. 


The program, wnitten in Ada, consists of packages, procedures, and functions that 
make up the basic structure mentioned above. A package specifies a group of logically 
related entities, such as types, and objects of those types as defined in [GONZ 91] and 
[SKAN 88]. The procedures and function that were subject to change/updates were also 
treated as separate compilation units. To give a ‘feel’ for the different components of the 
program, the separate compilation units and the files that contain them are shown in Table 
4. 

TABLE 4: SCM compilation units. 


load_machine_array builds machine adjacency 
lists form parsed file 













builds global reachability global_reachability.a 
analysis graph 


build_Gstate_graph 
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clear_pointers clears the values for global_eachability.a 
another input file 

search_for_Gtuple performs BFS search of global_search.a 
global reachabililty graph 


IsEqual compares global records global_search.a 
and associated transitions 
for equality 


build_Sstate_graph builds system reachability | system_reachability.a 
analysis graph 

search_for_Stuple perfoms BFS search of 
graph 


IsSysStateEqual compares system records system_search.a 
and associated transitions 








for equality 


output_Gstate_node format for node output global_output.a 
Output_Gstate_transition format for transition output | global_output.a 


output_Gstates traverses graph and outputs | global_output.a 
nodes and transitions 

output_machine_arrays format output of contents global_output.a 
of adjacency lists 


output_Sstate_node format for node output system | system_outpu.a a 
Output_Sstate_transition format for transition output | system_output.a 


_ Output_ Sstates traverses graph and outputs | system_output.a 
nodes and transitions 


output_Gtuple format a record for user_output.a 
Output 

variable_definitions user defined protocol vani- 
ables 


performs analysis of predi- } predicate_action.a 
cates and determines which 
transitions are enabled 










Analyze_Predicates 





oF 


Action changes the global and 
local variables based on the 





predicate_action.a 






transition executed 





The user has access to the last three files shown in Table 4. The variable definition package, 
Predicate_Analysis function, and Action procedure contained in these files are modified by 
the user to reflect the specific protocol to be analyzed. Formats for each unit will be 
outlined in Sections B, C, and D. The other files and procedures will remain hidden from 
the user because they are independent of any protocol to be analyzed. Figure 18 shows the 


files and generic units used at compilation time. 


main procedure 


scm.a 


Generic Units Stacks 














Integer_IO Text_IO 


Enumeration_IO 





input.a 


predicate_action.a || user_definitions.a 


global_ system _ 
Separate output.a output.a 
Compilation 
Units global_ system_ a 
search.a search.a 
reachability.a | | reachabillity.a 


Figure 18: SCM compilation units. 
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B. INPUT 


An intuitive and understandable means to input a specification is helpful in any 
protocol analysis program. A protocol specification is divided into shared and local 
variable definitions, predicate-action table representation, and finite state machine storage 
structure. 

The different parts to each specification to be analyzed must be input in a certain order. 
The definition package, Analyze Predicate function, and Action procedure must be 
constructed and compiled before the program is executed. When the program is executed 
the user then inputs the FSM text file and obtains the reachability analysis. Since the 
compilation of the program depends on the variables in the definition package, this package 
is written and compiled first. This is a technique to venfy variable definition correctness in 
the Ada environment. Once the definitions package is compiled the Analyze Predicate 
function and Action procedure can then be compiled This step-wise refinement facilitates 
error free specification representation. | 

At any point in execution of the program the status of all variables is kept in the global 
state record. Each node in the global eae Hb ilicy graph has a copy of this record. Within 


the main procedure a global state record is declared as 


type Gstate_record type is 


record 
maedinele state : machinel state type; 
machine2_ state ieetinez st dcemuype, 


Geebalevartiables ; Global variable type; 
end record; 


Having the machine and global types defined in a separate package ensures that only select 
pieces of code can be modified by the user. The definitions package contains the 
machinel _state_type, machine2_state_type, and global_variable_type declarations; thus 
this package must be compiled first. 

The order that each input category is covered in this chapter reflects order that the 


protocol specification should be constructed and compiled. 
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1. Protocol Variable Definitions 


The user defines the protocol environment variables in the definitions package. 
Variables can either be local to a specific machine or global to the system. The global 
variables are considered shared and allow communication between the machines in the 
system. The local variables are only visible to the machine that they are defined for. A 


discrete variable can be one of the many Ada defined types such as: 


integer natural character 
array digqivc boolean 
record access 


These types variables, or their subtypes, can be used to define protocol 
environment. 

A template for the definitions package is illustrated in Figure 19. The shaded 
areas of the figure are where the variables of the protocol are inserted. All other code should 


remain unchanged. Additional type declarations should be placed before the machine type 
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declarations. The state number of each machine is initialized to one even though this 


maybe different based on the FSM text file is input (the initial state is explicitly given.) 
SM transition labels 


package definitions is 


type scm_transition_type is ( 





protocol dependent types 





type machinel_state_type is 
record 
Sceateo Ounce tr . ericia en ceume Sek, 







Ee 
aes 
aaa a 
BORN cses 
hess 
a aS PE a Pg aa a aaa aa aaa 


.machine I local variables 
end record; 





type machine2_state_type is 
record 
state number ;: natural ;:= 1; 


ak Saraissesttonanesne ae as 
senses 








eaintahnce vgs ie 
ocean 


ae Re 


end record; achine 2 local variables 


type global variable type is 
record 





s is lobal (shared) variables 
end record; 


end definitions; 


Figure 19: SCM, definitions package template. 


The variable declarations for the stop_and_wait protocol are:shown in Figure 
20. 


package definitions is 


type scm_transition_type is (snd_data, rcv_data, 
snd_ack, rcv_ack) ; 


type buffer type is (d,e,a); 


type machinel_ state type is 


record 
state number 7 idewra l Sok; 
out_buff : buffer _type = d; 
end record; 
type machine2_state type is 
record 
state number pete tee aa, 
in_buff : buffer type =e; 


end record; 
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type global _ variable type is 
recor 
CHAN : buffer type >= E; 
RET : buffer _ type >= E; 
end record; 
end definitions; 


Figure 20: SCM, definitions package, stop_and_wait. 


The transitions are represented as xvnt_data, xmt_ack, rcv_data, and rcv_ack 
instead of -D, -A, +D, and +A. Machine one has a local variable that serves as an out-bound 
buffer (out_buff). It is initialized with data present in the buffer, represented by ‘d’. The 
only machine that sees the variable contents is Machine one. Machine two is similar in that 
it has a buffer for receiving (in_buff) data from the channel. The global variables are the 
shared variables channel (CHAN) and a return link (RET). Both variables are initialized 
empty and can be accessed by each machine. The values that CHAN, RET, in_buff, and 
out buff can have are defined as a buffer_type. The buffer_type variables can have the 
values e (empty), d (data), or a (acknowledgement). The stop_and_wait protocol example 
shows how easily variables can be represented. All the text in bold lettering are user defined 


variables and types. 


2. Predicate-Action Table Representation 

The predicate-action table serves as the engine to the analysis. The enabling 
predicate defines the logic that must hold true for the transition to be taken (refer to Table 
1). Local and global variables must meet these conditions. A number of transitions could 
be enabled, but, for a transition to be executed the state of the machine must be considered. 
The action column of the predicate-action table identifies the variable changes that must — 
take place when the transition is executed. The program captures the essence of the 
predicate-action table by breaking the components of the table into subprograms. A 
subprogram in the Ada environment is a function, procedure, or package. Since the user 
must have access to a number of the subprograms they are represented as separate 


compilation units. 
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The first subprogram is the Analyze Predicate function. A function is a 
subprogram that returns a value to the location in which it was invoked. It can only have 
input parameters.The function is handed the machine local variables and the system global 
variables as input parameters. Since more than one transition could be enabled, a stack is 
used to place all transitions that are enabled. A transition is pushed onto the stack if it is 
enabled and the function returns the entire transition_stack. From the transition_stack 
values and a pointer to the current state in machine adjacency matrix, a determination is 
made on which transition can actually be executed. There are a number of 
Analyze_Predicate functions, one for each machine. The template for the 
Analyze Predicate function is shown in Figure 21. 


separate (main) 
function Analyze Predicates Machinel (local : machinel_state_type; 
GLOBAL: global_ variable type) 
return transition_stack_package.stack is 
begin 


MakeEmpty (transition stack) ; enabling condition 






Fusn (Cransition stack, 
end if; 





— enabled transition 
return transition stack; 


end Analyze Predicates Machinel; 


Figure 21: SCM, Analyze_Predicate function template. 


Once a transition is executed, changes must be made to some or all the variables. 
A procedure using a case statement was the simplest way to make the changes to the global 
state record. The Action procedure has three parameters: the transition that is executed and 
the current global state record are in parameters, and the updated global state record is the 
out parameter. The transition is passed into the procedure and a case statement determines 
which series of instructions are to be executed. These instructions make the appropriate 


changes to the protocol environment variables. The out_systern_state is handed out of the 
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procedure containing the changed protocol variables. The template for the Action 


procedure is shown in Figure 22. 


separate (main) 

procedure Action( in_system_state : in Gstate_record_ type; 
in transition : in sem_transit i@geaS 
out_system_state <; out Gstate recordueyeay as 


ee (Qn_transition) *$ ____f enabled transition 


begin 


action taken 





when others => 
put_line(“Error in the Action procedure”); 
end case; 
endwAet ion: 


Figure 22: SCM, Action procedure template 


The three subprograms that reflect the logic of the predicate-action table are 


grouped together in one file (predicate_action.a). The file for the stop_and_wait protocol 


1S: 


separate (main) 
function Analyze Predicates Machinel(local : machinel_ state type; 
GLOBAL: global_ variable type) 
return transition_stack_package.stack is 
begin 
MakeEmpty (transition stack); 
if ((local.out_buff 7= e) and (GLOBAL.CHAN = E)) then 
Push(transition_stack, mmt_data); 
end if; 
if (GLOBAL.RET = A) then 
Push (transition_stack, rev_ack) ; 
end if; 
return transitiomustack. 
end Analyze Predicates_Machinel; 


separate (main) 
function Analyze Predicates Machine2(local : machine2_state_type; 
3 GLOBAL: global variable type) 
return transition _Sstack_ packagemstackeys 
begin 
MakeEmpty (transition_stack) ; 
if ((GLOBAL.CHAN /= E) and (local.in_buff = e)) then 
Push (transition_stack, rev_data) ; 
end if; 
Push(transition_stack, mmt_ack) ; 
return transitionsstaca. 
end Analyze Predicates Machine2;separate (main) 


separate (main) 


procedure Action(in_ system_state : in Gstate_record type; 
in_transition - nesematransition type; 
out_system_state : out Gstate_record type) is 
begin 
case (in transition) is 
when (xmt_data) => 
out _ _System_state.GLOBAL VARIABLES .CHAN := 
in | system_state. machinel | state.out buff; 
when (rev. ack) => 
out _ _system_state.GLOBAL_VARIABLES.RET := E; 
out _system_state. GLOBAL , VARIABLES .CHAN := E; 
out system state.machine2_state.in_ buff := e; 
when (xamt_ ~ack) => 
out_system_ state.GLOBAL VARIABLES.RET := A; 
when (rev_ - data) => 
out_system_state.machine2_state.in buff := 
in_system_state. GLOBAL_VARIABLES .CHAN; 
when others => 
put_line(“Error in the Action procedure”) ; 
end case; 
end Action; 


Figure 23: SCM, analyze_predicate.a, stop_and_wait. 


The bold text in the code indicates what the user provided as input to define the 


specification shown in the stop_and_wait predicate-action table (See Figure 16.) 


3. Finite State Machines 


The FSM’s are input as a text file during program execution. This file is built by 


the user with a set of language rules similar to the Backus-Naur Form (BNF) shown in 


Chapter III. The only change to the format of the input is the transition (t rans) lines. In the 
CFSM model only send and receive transitions were allowed; whereas in the SCM model 


a transition can have any label that follows the enumeration rules. The lines of the text file 


are buffered and parsed. From the parsed line groups of strings called tokens are 


manipulated as described in Chapter III. The list of valid instructions for finite state 


machine input 1s: 


start 

machine <natural> 

state <natural> 

initial state <natural> <natural> 

trans <enumeration literal> <natural> 
finish ~ = 
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The tokens are cast into either enumerated types (instructions) or integers (integer 


variables). The integer variables have been formally defined within the main procedure in 


Appendix B. The meaning of the instructions are found in Figure 24. 


Stage 

machine 

Stace 

initial state 


trans 
finish 


Serves as a beginning flag for the file. 
Defines the current machine. 

Defines the current state. 

The intitial/start state for 

machines one and two. 

Transition type and next state. 

This token serves as an ending flag for 
the file. 


Figure 24: Input File definitions. 


Representation of a finite state machine using the above convention has some 


inherent constraints. Rules for constructing enumeration literals must be followed. For 


instance, the list of values in an enumeration literal can only be character literals and cannot 


contain a digit in the first position. The input file for stop_and_wait is shown in Figure 25: 


Stact 

machine 1 

State 0 

trans ont edatae 
StaceuL ‘ 
trans rcv jackeo 
machine 2 

State 0 

trans rccvedatam, 
state 1 

trans x«mt_ack 0 
initial state 0 0 
fanish 


Figure 25: SCM, Input File, stop_and_wait. 


A data structure that contnbutes to the reachability analysis is the FSM adjacency 


list. The adjacency list was chosen as the structure to represent the directed graph of the 


finite state machines. 


are: 


The actual data structure to build the adjacency list and the defined constraints 


type machine array record type; 

type Mlink_type is access machine_array record type; 
type executed _type is (yes,no); 

type machine_array record type is 


record 


transition : scm_transition tyee, 
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next_state > natural; 

executed ; executed typey 

Mlink : Mlink_type 
end record; 


type machine array type is array(positive range<>) 
of Mlink_type; 

type system_array type is array(1..2) 
of machine_array type; 


The internal representation of the FSM adjacency lists are the same as Figure 12 


except the SCM adjacency lists do not have a message field. 


~C. REACHABILITY ANALYSIS 


The process of generating the set of all states reachable from the initial state is called 
state reachability analysis. During the reachability analysis a check for deadlock, 
unspecified reception, and unexecuted transitions are done. The reachability analysis of a 
specific protocol is done in two phases. 

The first is to generate a global state reachability graph. This analysis constructs a 
graph, whose nodes are the reachable global states, and whose arcs indicate the transitions 
leading from each global state to another. The global state (node) contains the state of each 
machine and the values of all the variables. 

The second phase of the analysis is to generate an separate system state reachability 
graph from the global state reachability graph. The system reachability graph contains 


nodes with just the state information of each machine. The rules for the generation of new 


states will be discussed in Section 2. 


1. Global State Analysis 
The process of generating the set of all global states reachable from the initial 
global state is called global state analysis. This analysis produces a graph, whose nodes are 
the reachable global states, and whose arcs indicate the transitions leading from each global 
state to another. The global state of a system consists of the system state tuple, plus the 


values of all variables, both local and shared. The algorithm as it appears in [LUND 91a] is: 
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(1) Set each machine to its inital state, and all variables to their initial 
values. The initial set of reachable global states consists of the initial system 
state and the value of all variables; the initial graph is a single node 
representing this state. 

(2) From the current global state vector and variable values, determine - 
which transitions are enabled. For each of these transitions, determine the 
global state which results from its execution. If this state (with the same 
enabled transitions) has already been generated, then draw an arc from the 
current state to it, labeling the arc with the transition name. Otherwise, add 
the new global state to the graph, draw an arc from the current state to it, and 
label the arc with the name of the transition. 

(3) For each new state generated in step 2, repeat step 2. Continue until 
step 2 has been repeated for each global state thus generated, and no more 
new States are generated. 


The algorithm above was modified to make use of the existing data structures 
introduced in the CFSM program. A psuedo-code algorithm to construct the global 
reachability graph 1s: 


create top_GState pointer and initial node in Gstate_graph 
main loop 
for machine_indexin 1..number_of machines loop 
transition_stack := Analyze_predicate(machine_index,current_Gstate) 
while transition_stack is not empty loop 
while current row of machine(machine_index) is not null loop 
if current_GsState.transition = top of transition_stack then 
perform Action procedure on current_Gstate and place 
results ina temp_Gstate 
search Gstate_graph for temp_Gstate 
if temp_Gstate found then 
insert temp Gstate in Gstate_graph 
Enqueue pointer to location in GState_pointer_queue 
else 
link current Gstate to found Gstate 
set new_node flag to false 
else 
traverse current row of machine(machine_index) 
end loop --machine row traversal loop 
Pop a transition from the transition_stack 
end loop --transition loop 
uf the Gstate pointer queue is not empty then 
Dequeue a pointer 
go to the appropriate row of machine(machine_index) 


else 
ext loop 
end loop --machine loop 
exception 


when Gstate_pointer_queue is empty then 
ext main loop 
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when Gstate_pointer_ queue ts full then 
print error message 
exit main loop 
end main_loop 


° 


The data structures that are used in the program are defined in the specification 
of the main procedure and the definitions package. The machine states and variables along 
with the global variables are defined in the definitions package. The remaining data 
structures which are hidden from the user are:shown in Figure 26 

--data structures for the global state tuple (node) 
type global_state_type; 
type Glink_type is access global_ state _type; 


--transition structure 
type Gstate_transition_type is 


record 
Gtransition : scm_transition type; 
new_node : boolean := true; 
Glink : Glink_type; 
executed scoolean ;+ Lalse; 


end record; 


s-global tuple structure 


type Gstate_record type is : 
record 
machinel_ state ; machinel state_type; 
machine2_ state : machine2 state type; 


global_variables : global_variable type; 
end record; : 


--Global state node, contains transition, state, and link information 
--needed for building the global state graph 
type global _state_type is 


record 
node_number > natural ;:= 0; 
Gtuple ; Gstate record type; 
Tok) : Gstate_ transition type; 
link2 ; Gstate_ transition type; 
link3 : Gstate transition type; 
link4 : Gstate_transition_type; 


end record; 


Figure 26: SCM, global definitions. 


The data structure of the global node (global state _type)encapsulates the 
information contained in the global state record. The global transition record has the type 
of transition and information about the node it is pointing to. If the node it is pointing to is 
a newly created node the new field is set to false, otherwise it maintains its initialized value 


of true. It also has a visited field, used during the construction of the system state 
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—< 


reachability graph. The internal representation of the graph generated b 
stop_and_ wait protocol highlights all the data structure used (see Figu: 


° 
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| new node | false _| 
| visited =| false | 


Ko | re 
| Gtransition | rev _data_| 
i 


rue 
| fgise 





| Gtransivion | xmt ack | 
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Figure 27: SCM internal global reachability graph, stop_and_wait. 
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2. System State Analysis 


System state analysis is similar to global state analysis. The number of states 
generated by the system state analysis is less than or equal to the number of states in the 
CFSM model or the global analysis of the SCM model. Only the states of the machines and 
the transitions from those states are considered when generating a new state. The formal 


steps in constructing a system state graph as it appears in [LUND 91a] 1s: 


(1) Set each machine to its initial state, and all variables to their initial 
values. The initial set of reachable system states consists of only the initial 
system state; the initial graph 1s a single node representing this state. 

(2) | From the current system state vector and vanable values, determine 
which transitions are enabled. For each of these transitions, determine the 
system state which results from its execution. If this state (with the same 
enabled transitions) has already been generated, then draw an arc from the 
current state to it, labeling the arc with the transition name. Otherwise, add 
the new system state to the graph, draw an arc from the current state to it, and 
label the arc with the name of the transition. 

(3) For each new state generated in step 2, repeat step 2. Continue until 
step 2 has been repeated for each system state thus generated, and no more 
new states are generated. 


The portion of the program that builds the system state graph makes use of the 
information already available in the global state graph. In the current version of the 
program the global reachability graph is constructed followed by the system reachability 
graph. Future versions would allow the user to select which analysis to perform but 
currently both are constructed and output. The pointer to the initial global state is provided 
as an input parameter to the build_Sstate_graph procedure. The global state graph is 
traversed in a breadth first manner, as the nodes are visited the system state graph is 
constructed. If the system state graph were being constructed independently of the global 
state graph the algorithm would be very similar to the one in the previous section. Since the 
system state graph is being constructed based on only the global reachability graph the 


machine matrices are not used. The psuedo-code algorithm for this approach is: 


eZ 


create top Sstate pointer and build initial_Sstate node; 
main loop 
while( current Gstate.link not null and not visited) loop 
visit a Gstate_graph node using BFS traversal 
mark the link taken as visited 
create a temp_Sstate with values of current_Gstate 
search Sstate_graph for temp_Sstate 
if temp_Sstate found then 
insert temp_Sstate in Sstate_graph 
else 
link current Sstate to found Sstate 
set new_node flag to false 
end loop 
end main loop 


The data structures for the system state graph construction, except for the 
transition labels, are completely hidden from the user. The system related data structures as 
they appear in the main procedure are shown in Figure 28. 

type system_state_type; 
type Syslink_type is access system_ state _type; 


--transition structure for system state 
type Sstate transition _type is 


recone 
Stransition > scm_transition type; 
new_node = SColean = true; 
Syslin : Syslink_type; 


end record; 


type Sstate_record type is 


becoLa 
machinel state ; natural := 0; 
machine2 state menactural := Q; 
ed record, 
=—system state structure 
type system_state_type is 
record 
node_number > Natural := 0; 
Stuple > estate record type; 
linkl ; Sstate transition type; 
Pank2 ; SState transition type; 
link3 3; Sstate transition type; 
link4 : Sstate_transition_type,;.- 


end record; 


Figure 28: SCM, system definitions. 


To follow through with the stop_and_wait analysis example, an internal 
representation of the system state graph is shown in Figure 29. Although this example does 


give a graphical picture of how the data structures are used it does not show the advantages 


3 


of a system state analysis over global state analysis. Examples covered in Chapter V 
illustrate how much smaller system state graphs can be when compared to the global 


™~ 


analysis graphs. 
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Figure 29: SCM internal system reachability graph, stop and wait. 
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D. OUTPUT 


Output of the analysis is provided to a text file and to a default device(workstation 
display). Figure 32 shows a captured image of default output to a workstation screen for 
stop _and_wait. There are features available to allow the user to step through the output one 
screen at a time. Output messages are provided to the user when a deadlock, unexecuted 
transition, or an unspecified reception occur. A message is also displayed when the length 
of the graph exceeds the bounds defined by the user (capacity of the channel is exceeded.) 
The contents of the machine adjacency lists are also output. 

The user may format output for the global state graph. This is done through the file 
user_ouput.a. The procedure, output Gtuple, contained in the file allows the user to format 


the variables for default output.The template for output procedures are found in Figure 30. 


separate (main) 

procedure output_Gtuple(tuple : in out Gstate_record_type) is 

begin 

put(“ [(“ & integer’ image (tuple.machinel_ state.state_ number) & “ , “); 


user defined format of variables using text IO __ 





put (“ ,” & integer’ image (tuple.machine2_state.state number) & ~ ] )@ 
end output_Gtuple; 


separate (main) 

procedure output _Gtuple to_file(tuple : in out Gstate record type) jis 
begin . 

put(reach,” (“ & integer’ image (tuple.machinel_ state.state_number)); 


user defined format of variables using text IO 





put(reach,” ,” & integer’ image(tuple.machine2_ state.state_number) & 
AN ] =) - 
end output Gtuple to file; 


Figure 30: SCM, output_Gtuple procedure template. 


An example of how a user could format output is given for the stop_and_wait protocol 
is givenin Figure 31 


separate (main) 

procedure output _Gtuple(tuple : in out Gstate_ record type) is 
begin 

put(“ [“ & integer’ image (tuple.machinel state.state_ number) 
& AN : “) - 

put (tuple.machinel state.out buff, set => lower case) ; 
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Woy. 
Put (tuple. GLOBAL_VARIABLES . CHAN, set => upper case) ; 
Put (tuple. GLOBAL_VARIABLES .RET, set => upper case) ; 
Sa ee CN ot in. re set => lower case) ; 
put (“ eel integer’ image (tuple.machine2 state.state number) 
end Diese uae; 


separate (main) 
procedure output _Gtuple to_file(tuple : in out Gstate_record type) is 


begin 


Bamea ena: (“ & 

integer’ image (tuple.machinel_ state.state number) & “ , “); 

put (reach,tuple.machinel_ state.out_ buff, set => lower case) ; 

put (reach,” , “); 

put (reach, tuple.GLOBAL VARIABLES.CHAN, set => upper case) ; 

put (reach,” , “); 

put (reach, tuple.GLOBAL VARIABLES.RET, set => upper case) ; 

put (reach,” , “); 

put (reach, tuple.machine2_ state.in buff, set => lower case) ; 

Ee et ne eh 

integer’ image (tuple.machine2 _state. state number) & “ J] “); 
end output_Gtuple to file; 


Figure 31: SCM, output format, stop _and_wait. 


Consistent with previous examples the boldface code is that which the user 
provides. The user does not provide any parameters for system state output. The output 


shown in Figure 32 was formatted according to the procedures used above. 
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REACHABILITY ANALYSIS of : stop_and_wait 
Global State GRAPH 








66f[0,d,E,E,¢e,90)] xmt_data 1 
1C€(1,d,0D,E,¢e,90] revidata 2 
2C1.,d,0D,E,d,1)] xmt_ack 3 
3 ({1,d,0D,A,d,90)]° reviack 0 
System State GRAPH 
66h6mML0,0)] xeat_data (€1,90] 1 
1 ft oe rev.data (€1,1] 2 
Comet. Lae J xmt_ack fo). 40s 
5 < 13cm) rev_ack C O.303) 8 
| Machine 1 Array Contents | 
| From | To I Transition | Executed | 
| O | ‘L | xmt_data 1 yes 
| 2 t O | reviack | yes | 
Machine 2 Array Contents | 
| From 1 To | Transition | Executed | 
| QO | 1 =| revidata | yes 
| it | O LT xmtoack | yes 





Figure 32: SCM, analysis output, stop_and_wait. 
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V. AN AUTOMATED ANALYSIS OF SELECTED DATA LINK 
PROTOCOLS 


In this section the programs that were developed in the last two chapters will be 
demonstrated. Some well known data link protocols will be analyzed using the CFSM and 
SCM programs. The CFSM program will be used to analyze the alternating bit and the 
sliding window protocols. The SCM program will be used to analyze go_back_n and 
selective repeat protocols. In each analysis the specification will be described; the program 


input and results are in the Appendices of this publication. 


A. CFSM MODEL 

The examples used as input show the advantages of the CFSM program. The 
alternating bit protocol analysis was chosen as a simple class of protocols. The sliding 
window with a window size of three shows how a graphically complex protocol can be 


analyzed quite easily. 


1. Alternating Bit Protocol 
The specification of the alternating bit protocol will be used as the first example 
for the CFSM program. The protocol consists of two machines. Machine one serves as a 
sender and Machine two as the receiver. The sender sends a message(-X) to the receiver. 
The receiver then accepts the message (+X) and sends an acknowledgment (-A). The 


acknowledgment at the machine level is done with the toggling of a bit, wherein the name 


a9 


alternating bit is derived. The sender is clear to send another message when the 


acknowledgment is received. 


Machine 1 Machine 2 

a <> 
-X +X 

2 +B cc -B 
+A -A 

Cy © 


+Y 


iY 
(4) (4) 


Figure 33: CFSM specification, Alternating Bit. 


The input file for the specification is 


start 
machine 1 
state 1 
trans -X 2 
state 2 
trans +A 3 
state 3 
trans -Y¥ 4 
state 4 
trans +B 1 
machine 2 
state 1 
trans +X 2 
state 2 
trans -A $ 
state 3 
trans +¥ 4 
state 4 
trans -B 1 
initial_state 1 1 
finish 


The analysis of the alternating bit specification is: 


REACHABILITY ANALYSIS of ; output .alt_bit 
































1 Pere, ld =e eee ty td 2 
2 (50a ee 1) x tee E ; 2 | 3 
J lee -eeeer ew cs A (€(2,E—E,A,3] 4 
4 (C2me-A, 3] +] (eer, te ,c , $ i 5 
5 alesse, © GE , 3 ] “ypii4e.Y,E,5] 6 
Sel 2 ey, Eee 3) *Y (4,6,E,4] 7 
¢ €4@,E6,E ,™] B£€4,E,8,1] 8 
: sr: rn  : | +“) [eee ,E ,1 ] 1 

| Machine 1 Array Contents | 

| From | To | Transition | Executed | 

2 oa snd X | yes | 

[2a SCI rev A | yes | 

| = | «@ I snd Y | yes | 

Lae, | 6 rev B | yes | 

| Machine 2 Array Contents | 

. | From | To | Transition | Executed | 

=a el Z rev X | yes | 

i 2 eS I snd A | ues 

ese | &€ I rev Y | yes | 

| me | 8 snd B | ues | 











* The nodes generated by the analysis 
were done in a breadth first manner 


2. A More Complex Example: The Sliding Window Protocol. 

The analysis of a sliding window protocol is a more complex example. To 
represent the protocol as a set of graphical finite state machines can be quite tedious. The 
essence of the protocol must be captured with the use of transitions, oftentimes this can lead 
to an intricate diagram as in this example. 

The sliding window protocol can also be represented as a two machine CFSM. 
As in the previous example, Machine one is the sender and Machine two is the receiver. At 
any instant of time the sender maintains a list of consecutive sequence numbers 


corresponding to frames it is permitted to send{TANE 81] These frames are said to fall 
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within the sending window. The receiver also maintains a receiving window corresponding 
to frames it is permitted to accept. The sending window and the receiving window need not 
have the same lower and upper limits, or even have the same size. 

A window size of three is used in the specification given in Figure 34. The 
messages or packets are shown as transitions labeled X, Y, and Z and the acknowledgments 


are A, B, and C. 
Machine 1 
ry. ‘a +A 
+B ©) 
Y 





Figure 34: CFSM specification, sliding window (w=3). 
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tion 1S 
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The text file of the specifica 


initial_state 11 


trans °2 9 
state 3 
trans “A 1 
Finish 


start 
machine 1 
state 1 
trans -X 2 
state 2 
trans +B 7 
trane -Y 3 
state 3 
trans +B 9 
trans oC 4 
state 4 
trans -2 5 
state 5 
trane -X 6 
trans +A 1 
state 6 
trans +A 2 
trans +B 7 
state 7 
trans -Y¥ 8 
state 8 
trans -2 9 
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The unexecuted transitions account for error control. Error control refers to 
mechanisms to detect and/or correct errors that occur in the transmission of information. So 
the unexecuted transitions identified in Machine 2’s array are transitions that would have 
been executed if a loss of a message had occurred. Error and time-out transitions are not 


shown in the CFSM. 


B. SCM MODEL 


The examples used as input validate the use of the SCM program as a tool to verify 
protocols. The go_back_n protocol was analyzed first due to the availability of prior 
modelling done using SCM. The output of the program were compared to the manual SCM 
modelling results of this protocol. The selective repeat specification provided additional 
evidence as to the programs validity as well as demonstrating how it can be used to improve 
a specification. In both examples it must be shown that the use of the analysis should help 
the designer or reviewer to gain a greater understanding of the protocol, as well as in 
detecting errors. 

The analysis of any protocol using this program contains varying information. A 
global reachability graph and system reachability graph are provided. Following the graph 
is a description of the contents of each machine array upon termination of the graph 
construction. Error messages (deadlock, unspecified reception, and unexecuted transitions) 
are placed at the point in the analysis where they occur. The system state graph will be used 
in this section to provide a means to validate output results. The system state graph can be 
viewed a a three dimensional object whose tuple values provide a vector to 3 dimensional 


space. 


1. GoBackN 


The first protocol which was chosen to model is a go_back_n protocol with a 
variable window size, which is a subset of the High-level Data Link Control (HDLC) class 


of protocols. There are two machines in the system, a sender(m,) and a receiver (>). The 


sender sends data blocks to the receiver, which are numbered sequentially, 0, 1,..., w, O, 1,... 


for a window size of w. The maximum number of data blocks which can be sent without 
receiving an acknowledgment is w, the window size.The receiver, m2 receives the data 
blocks and acknowledges them by sending the sequence number of the next block expected 
(which is stored in local variable exp). The shared variables DATA and SEQ are used to 
pass messages from sender to receiver, and the shared variable ACK is used to pass 
acknowledgments back to the sender. The receiver may acknowledge any number of blocks 
received up to the window size. Upon receiving the acknowledgment, the sender must be 


able to deduce how many data blocks are being acknowledged. This is done by observing 
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the difference between the values of the received acknowledgment and the sequence 


number of the last data block sent. 


machine I machine 2 . 


DATA(i)J=E A SEQ(i)=E DATA(i) := Sdata(t) 
SEQ(t) := seq 
inc(t,seq) 


ACK ®k = seq A 
ACK #E 
(next state : k) 


DATA (J) # E A SEQ(j)=exp Rdata := DATA(j) 
DATA(j), SEQ(j) := E 
inc(j,exp) 


Figure 35: SCM specification, Go Back N, window size of 1..w. 





The general specification of the protocol is given in Figure 35. Included in this 
figure are the state machine diagrams, variables and the predicate acuon table. Initially, 
both sender and receiver are in state 0, arrays DATA and SEQ are empty, and ACK is 
empty. The domains of DATA, Rdata and Sdata are not specified; these are used to hold 
user data blocks. Sdata and Rdata are the interface or access points of the higher layer (user) 
protocol. The local variables for the sender are Sdata, used to store data blocks, seq, used 
to store the sequence number of the next data block to be sent out, and /, used as an index 
into the DATA and SEQ arrays. Initially seq is set to 0, and / is set to 1. The local variables 
of the receiver are Rdata, exp, and /. Rdata is used to receive and store incoming data 
blocks, exp to hold the expected sequence number of the next incoming data block, and is 
an index into the shared arrays DATA and SEQ. 

There are four basic types of transitions described in the predicate action table. 
In the sender the -D transition transmits a data block by placing it into the shared variable 

— DATAti), and the sequence number into SEQ(i). The send is enabled whenever those 
variables are empty. The receive transition in the receiver, mz is enabled whenever a data 
block of the appropriate sequence number is in the jth element of DATA and SEQ. An 
acknowledgment may be sent by mp in any state except 0, in which case no 
unacknowledged data blocks have been received. The +A is a receive transition. If m) is in 
State u, 1<u<w, and there is a nonempty value in shared vaniable ACK, then exactly one 
of the transitions +Ag, +A),..., +Ay.7 will be enabled; it will be that A, such that the 
predicate ACK ®k = seq is true, and the next state is k. In the state diagram, all of the 


transition +A, are shown using the same vertical line. 


a. Input of variable definitions. 
A sample interaction using the program for the analysis of go_back_n, w=1,consists of input 
files and an output file. The variable definitions contained in the user specification file are: 
package definitions is 


type scm_transition_type is (snd_data, rcv data, 
snd ack, rcev_ack0, wamused) ; 
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type buffer type is (d,e,a); 
type buffer_array type is array(1l..1) of Bbutterse 2a 
type seq_array _ type is array(1l..1) of integer range -1..1; 


type machinel_ state _type is 
record 
state_number : natural := 1; 
Ssdata : buffer array type := (others=>d); 
seq : integer range 0..1 := 0; 
i : integer range 1..1 := 1; 
end record; 


type machine2 state_type is 
record 
State number 7 naevurale 721, 
Rdata : buffer et ype Gomac- 


exp : integer range 0..1 := 0; 
j : integer range 1..1 := 1; 
end record; 
type global variable type is 
record 
DATA ;: buffer_array type := (others=>e) ; 


SEQ 3: seq array type (=s(ethers=2— 0, 
ACK : integer range -1..1 := -1; 
end record; 


end definitions; 


b. Input of predicate analysis. 


The analyze predicate funcuons e contained in the predicate_action.a file are: 


function Analyze Predicates Machinel(local : machinel state type; 
: GLOBAL: global variable type) 
return transition_stack_package.stack is 
templ : integer := GLOBAL.ACK + 0; 
begin 
MakeEmpty (transition_stack); 
if ((GLOBAL.DATA(local.i)_= E) 
and (GLOBAL.SEQ(local.i) = -1)) then 
Push (transition stack, snd _ data); 
end if; 
if ((templ = local.seq) and (GLOBAL.ACK /= -1)) then 
Push (transition _ stack? rev iaeq0). 
end if; 
return transition staek, 
end Analyze Predicates Machinel; 


function Analyze Predicates Machine2 (local : machine2_state type; 
GLOBAL: global_variable type) 
return transition Stack package stackel. 
begin 
MakeEmpty (transition_stack); 
if ((GLOBAL.DATA(local.j) /=E) 
and (GLOBAL.SEQ(local.j) = local.exp)) then 
Push (transition stack, mcvedaea 
end if; 
if (GLOBAL.DATA(local.j)=E) then 
Push (transition_stack, snd_ack); 
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end if; 
return transition_stack; 
end Analyze Predicates_Machine2; 


c. Input of action table. 
The action procedure ts also a separate compilation unit contained in the predicate_action.a 


file: 


procedure Action(in_system_state : in out Gstate_record_type; 
in transition : in out scm_transition_type; 
out_system_state : in out Gstate_record type) is 


temp : integer := 0; 
begin 
case (in_transition) is 
when (snd_data) => 
out_system_state.GLOBAL VARIABLES. 
DATA (in _system_state. machinel mstate .ij:= 
in_system_state. machinel state. 
Sdata (in _system_ state. machinel_ state.1); 
out_system_state.GLOBAL VARIABLES. 
SEQ(in “system state.machinel _state.i) := 
in_system_state.machinel_state.seq; 
out_system_state.machinel state.i := 
(((in_system_state.machinel_ state.i) + 
ymod=1) + 1; 
out_system_state.machinel state.seq := 
(((in_system_state.machinel_state.seq) ” 
~ ljmod 2) ; 
when (rcev_ack0) => 
out _system_state.GLOBAL VARIABLES .ACK := -1; 
when (snd_ack) => 
out | _System_ state.GLOBAL VARIABLES.ACK := 
in_system_state. machine2 Psotate-.exp, 
out_system_state.machine2_ state.Rdata := e; 
when (rcv_data) => 
out_system_state.machine2 state.Rdata := 
in_system_state.GLOBAL VARIABLES .DATA 
(in_system_ state. machine2 Mise aie.) 
out_system_ state.GLOBAL _ VARIABLES .DATA 
(in system _state.machine2 state.j) :=E; 
out_system_state.GLOBAL VARIABLES .SEQ 
(in system_state.machine2 state.j) := -1; 
out_system_state.machine2 state.j := 
(((in_system_state.machine2_ state. }) 
ieLymod ly er lL, 
out_system_state.machine2 state.exp := 
(((in_system_state.machine2_state.exp) 
+ L)eme@ec +2); 
when others => 
put_line(“There is an error in the 
: Action procedure”) ; 
end case; 
e@e Action; 
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d. Input of finite state machines. 


And, finally, the input file for the finite state machines is: 


Stace 

. machine 1 
state 0 
trans snd data 1 
state 1 
trans rcv_ack0 0 
machine 2 
state 0 
trans sccv datas 
state l 
trans snd_ack 0 
initial state 0 0 
finish 


e. Output of analysis. 


The output of the analysis 1s: 


REACHABILITY ANALYSIS of : go_back_n_wi 
Global State GRAPH 











0 {0.0 , O21. 0 ie =<.) snd_data 
1 Gil ,.0) Ae 1 98 joel. «(CO Fe rev_data 
2 CAP Lie 1. to eee ell) snd_ack 
3. CA» 0g tk. bee eee ei) rev_ack0 
U8 Oe rie a ee snd_data 
5S T1,0,0,1,1,1,.)). 2 a rev_data 
6. abel. Lod Ae Oe ee). ae snd_ack 
) i i Pe a ee eS rev_ack0 
System State GRAPH 

0 €£0,0] snddata €1,901] 1 

Lif tee) revidata [1,1] 2 

ae» Cte] snd_ack Lule Om lings 

a) F108) reviackO €0,0] 0 

Machine 1 Array Contents | 

| From | To | Transition | Executed | 

| O Jt 4 I snd data | yes | 

| 2 | O J reviacko | yes | 

| Machine 2 Array Contents | 

| From | To | Transition | Executed | 

1 oO |! 4 Tt revidata | yes | 

, df tt 0 J sndlack | ves | 
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ON OMA WN 


The output indicates that no errors were encountered. The format for the variables are user 


dependent and, for brevity sake, the code for formatting the output was not included. 


f. System state analysis. 


System state analysis is similar to the reachability analysis used with the pure finite state 
machine model, but the total number of states which must be generated with system state analysis is 
significantly smaller. 

The system state analysis for a window size of 1 is shown in Figure 36.The subscripts are 
used so that distinct system states having the same tuple may easily be distinguished. The convention is that 
the subscript is initially 0, and is increased whenever a “-A” transition is taken, by the number of messages 


which are being acknowledged. 


[O0]o 







-D 


[10]9—? 11], 
-A 

[1 
Figure 36: SCM, system state analysis, Go Back N, w=1. 


The analysis for w=2 is shown in Figure 37. The initial states and variable values are the 
same as for the w=1, however there are clearly more states in the analysis. 
In a comparison between window sizes of 1 and 2, it is noted that the smaller graph is a 


subgraph of the larger; either can be obtained from the other. If the subscripts are taken as the third coordinate 
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in a 3-dimensional cartesian coordinate system, with the states of each machine as the first two coordinates. 


The graph then is the shape of a tetrahedron, with edges which are directed and labeled. 





Figure 37: SCM, system state analysis, Go Back N, w=2. 


The graphs contained in Figure 36 and Figure 37 are defined with respect to a window size 
w. The graphs, DT1(w) for a nonnegative integer w is a labeled, directed graph, defined by the tuple 
(N,E,L,), where N = { (x, y,z)| (OSzSw,z<Sx<Sw,O0S ySx—z)} Is a finite set of nodes, where each 
node is specified by an ordered tmple; L={-D, +D, -A, +Ap, +A), ..., +A,.,} is a finite set of label; the set E 
of edges is a set of ordered pairs ((x,, y;, 2), (X), ¥2. Z2)) of nodes from N, and is the union of the following 
four sets: 


E, = {((x, y, 2), (x+1, y, z))/(x, y, z) EN, x<w) 

E> = {((x, y, 2), (x, y+1, 2))/(x, y, 2) EN, y<x-2) 

Ez = {((x, y, z), (x, O, y+z))/(x, y, 2) EN, (y =x-2),x>2) 
Eg = {((x, y, 2), (x-2, y, O))/(x, y, z) EN, z>0) 


and the mapping 0(L < £) its defined as follows: 
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V(x, yz) € £,,P(x%y,2) = -D 


V(x, y,2) € En, P (x, y, 2) = +D 


V(x, y,z) € E., (x,y,z) = -A 


V (x,y,z) € Ey, B(x, y, 2) 


+A ko? where k=x-z 


Each node of the graph can be thought of as a point in 3-dimensional space, with nonnegative, 
integral coordinates (x,y,z). The structure of the graph is a sequence of w+/ triangles, one on top of the other, 
with the largest triangle at the bottom and the smallest is a single point at the top level. 

One of the nice features of the geomemnic structure of this graph is that the state of the system 
can be easily inferred from the x, y, z coordinates. For example, in Figure 37, point (2,1,0), or system state 
[2,1], the sender has transmitted 2 data blocks for which no acknowledgment has yet been received, the 
receiver has received 3 of these, but acknowledged non. 

Let f(w) be the amount of nodes in a system state graph and g(w) be the amount of nodes in 
the global reachability. graph. The equations for g(w) and f(w), and the lemmas that support them, for the 
go_back_n protocol are found in [LUND 9laj]. For imstance, the graph DT1(w) has 


aw +w+ =" +1. The size of the graphs according to window size are: 


f(w) = 


# 





The output of the program for this protocol was compared to values for f(w) and g(w). Test 
runs were done for window sizes of 0 thru 5 and the amount of nodes in each graph were consistent with the 


table above. The specification input files and the output is in Appendices E through H. 
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2. Selective Repeat 


The next analysis is the selective repeat protocol.The specification defined in 
[BENV 91 Jand [STAL 91] has been modified as follows. There are two machines in the 
system, a sender(m,;) and a receiver (mm). The senders (7m;) initial state is 0. Two 
assumptions were made for the analysis. First, all the packets transmitted were received 
without error and second, no packets were lost or reordered during the transmission. 

The specification for the sender is found in Figure 38. As the buffer manager 
places data in the next available sequence number, the sender places the packet on the 
channel and increments the index for the next packet to be transmitted. As long as the next 
packet is not empty, the sender will continue this process until the bottom state on the finite 
State machine is reached, indicating the transmission of a full window. Acknowledgments 
(ACK) are passed to the transmitter as they are received. If an ACK is received then the 
transmitter must determine if the window may be opened and if so, how far. If the ACK is 
not for the first packet in the window then the flag ack_rec is set, indicating that the packet 
was received correctly. The window is not advanced because packets that were transmitted 
earlier are still outstanding. The sequence number within each ACK represents the actual 
sequence number of the packet received and not the sequence number of the next expected 
packet, as is common in many protocols. 

When an ACKss for the first packet in the window is received the machine clears 
its buffer, advances the window, and looks at the next sequence number. If the packet has 
not been received, then that becomes the beginning of the window. If it has been received 


then the next sequence number is examined until the earliest outstanding packet is found or 
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the window is fully opened. ACKs that do not correspond to any of the sequence numbers 


within the current window are ignored. 


machine I 








LZ Ww 
out butt: TTT 


a Olea, W) 
current:(0,1,...,w) 
hold: (t, f) 










pkt_rec(j)= 


pkt_rec(ij=f 


out_buffer(i) /=E A 
hold = f 


ack_rec(i) =f A 
CONTROL=A(1i) 


Rx ack_rec(t) := 
(O<k<w) hold :=f 


CONTROL(jJ=E A 









machine 2 


DATA (0) 


1 2 Ww -A 
CONTROL 


|e WwW 
inebuti|ls) ess] | 
phere: CDT 1 


Wat O0, 1s. Ww) 
current:(0,1,...,w) 


DATA(i) :=out_buffer(t) 
inc(t) 
if(i=w) hold :=t 





ack_rec(i) :=t 
CONTROL(1) := E 


CONTROL()) := AQ) 
pkt_rec(j) :=f 
in_buff(j) := e, inc(j) 


in_buff(j) := DATA()) 
DATA()) := E 
pkt_rec(j) := 











Figure 38: SCM specification, Selective Repeat, window size of 1..w. 


oD 


The receiver as shown in Figure 38 follows the specification given in the 
predicate action table. The initial state of the receiving machine 1s 0. Any packets that are 
received with sequence numbers outside of the window are dropped. If a valid data packet 
is received then the +D is taken, based upon whether the sequence number of the received 


packet 1s equal to /,. If the sequence number 1s not i, then the flag pkt_rec is set to t and the 
packet is stored. If it is equal to i,, then the pkt_rec is set, the packet 1s released to buffer, 
and i,is incremented until a sequence number with pkt_rec=f 1s found. 


A sample interaction using the program for the analysis of selective repeat, 
w=1,consists of input files and an output file. The variable definitions contained in the user 
specification file are: 


package definitions is 

type scm_transition_type is (snd_data, rcv_data, 
snd_ack, rcv_ack, 
adv_winl, unused); 

type buffer _type is (di,e,2al 

type boolean type aS) oe, core 

subtype ack_buffer_type is buffer _type range e..al; 

subtype data_buffer_ type is buffer type range dl..e; 


type ack_array_type is array(1..1) of ack_buffer_type; 
type data_array type is array(1..1) of data _ buffer type; 


type boolean_array type is array(1..1) of boolean type; 


type machinel_state type is 


recora 
state number mena curd. = 0; 
out buffer ; data array type = (di); 
ackarec ; boolean_array_ type <= (cthers= ae, 
Current >; integer range 1..1 := 1; 
hold ; booleangtyee —2 £, 


end record; 


type machine2 state _type is 


record 
state number : Dates = 0; 
in_buffer > data_array type = (others=2e77 
pkt_ rec : boolean_array type = (others=>f) ; 


end record; 


type global variable type is 


record 
DATA : data_array type = (CCherSsa ce 
CONTROL : ack array type = (others=>e) ; 


end record; 


end definitions; 
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a. Input of predicate analysis. 


The analyze predicate functions contained in the predicate_acuion.a file are: 


function Analyze Predicates _Machinel(local : machinel_state_ type; 
GLOBAL: global_variable type) 
return transition _stack_package.stack is 
begin 
MakeEmpty (transition_stack); 
if (local.out_buffer(1) /= E) then 
Push (transition_stack,snd_datal) ; 
end if; 
if ((local.ack_rec(1)=f) and GLOBAL.DATA=Al1) then 
Push (transition_stack, rcv_ackl); 
end if; 
Push (transition_stack,adv_winl); 
return transition_stack; 
end Analyze Predicates Machinel; 


function Analyze Predicates Machine2(local : machine2_ state type; 
GLOBAL: global_variable type) return 
transition_stack_package.stack is 
begin 
MakeEmpty(transition_stack); 
if ((GLOBAL.DATA = D1) and (local.pkt_rec(1)=f)) then 
Push (transition_stack, rcv_datal); 
end if; 
if (local.pkt_rec(1)=t) then 
Push (transition stack, snd#ackl) ; 
end if; 
= return transition stack; 
end Analyze Predicates _Machine2; 


b. Input of action table. 


The action procedure is also a separate compilation unit contained in the predicate_action.a 


file: 
procedure Action(in_system_state : in out Gstate_record type; 
in_transition Ne OUGESeCMet rans tzonstype; 
out_system_state : in out Gstate_record_ type) is 
temp : integer := 0; 
begin 


ease (in transition) is 
when (snd_datal) => 
out _system_state.GLOBAL VARIABLES .DATA := 
in_system_state.machinel_ state.out_buffer (1); 
when (rcv_ackl) => 
out_system_state.machinel_ state.ack_rec(1) :=t; 
out _system_state.GLOBAL VARIABLES .DATA := e; 
out_system_state.machinel_ state.current := 1; 
when (rcv_datal) => 
out _system_ State.machine2_ state.in buffer(1) := 
in_system_state.GLOBAL _ VARIABLES. DATA; 
out _system_state.GLOBAL | VARIABLES. DATA := e; 


dill 


out _system_state.machine2_ state.pkt_rec(1):= t; 
when (snd_ackl) => 

out_system_state.GLOBAL_ VARIABLES .DATA := al; 

out_system_state.machine2_state.pkt_rec(1l) := f; 


out _system_state.machine2_state.in_buffer(1l) := e; 
when (adv_winl) => 
out_system_state.machinel_state.ack_rec 
(in_system_state.machinel state.current) := f; 


when others => 
put_line (“There is an error in the Action procedure”) ; 
end case; 
end Action; 


c. Input of finite state machines. 


And, finally, the input file for the finite state machines is: 


Stare 

machine 1 

state 0 

trans snd_datal 1 
Staceu. 

trans gecv cackigg2 
State 2 

trans adv_winl 0 
machine 2 

State 0 

trans rev_datal l 
Stateu. 

trans snd_ackl 0 
initial_state 0 0 
Finish 


d. Output of analysis. 


The output of the analysis is: 
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REACHABILITY ANALYSIS of = sel_rep_wl 
Global State GRAPH 














0 a a a snd.datal 1 
1 C1.,0, Biers GF D1] revidatal 2 
2 14% teoeieeer ; Dl. beck) sndacki 3 
$8(1,0,02.F -€,F , At) reviackl 4 
selec a ee fs ESF Ek] adv_vini 0 
System State GRAPH 
0 €(9,90] snd.datal (€1,90] 1 
P78 revidatal [1,11] 2 
Cues ok3 snd_ackl tele, Oo) 63 
$50 1,0 ) rev_ackt (2,0] 4 
4 (€2,90] adv_vint C(0,0] 9 
| Machine 1 Array Contents | 
| From | To | Transition | Executed | 
1 O tf 1 JI sndidatal | yes i 
1 41 FF 2 |) revlackt | yes | 
1 2 t O FT adviwini | yes | 
| Machine 2 Array Contents | 
| From | To | Transition | Executed | 
1 oO | 1 I revidatal I yes | 
1 21 | O TL snd lackt | yes 


e. System state analysis. 


The system state analysis for a window size of 1 is shown in Figure 39.The subscripts are 
used so that distinct system states having the same tuple may easily be distinguished. The convention is that 
the subscript is initially 0, and is increased whenever a -A transition is taken, by the number of messages 
which are being acknowledged The analysis for w=2 is shown in Figure 40. As previously pointed out initial 


States and variable values are the same as for the w=1, however there are clearly more states in the analysis. 
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a [20]p 
+A 


U0)g— de a 0) 7 


Figure 39: SCM, system state analysis, Selective Repeat, w=1. 


-D [20] 
+D 


[10] 


-D 





[30]gp—5 13 1 0 pe eee 


Figure 40: SCM, system state analysis, Selective Repeat, w=2. 

The graphs contained in Figure 39 and Figure 40 are the basis to the definition of a window 
size of W. The graphs, SR/(w) for a nonnegative integer w is a labeled, directed graph, defined by the tuple 
(N,E,L,0), where N = {(x,y,z)| (OSz<w,z<x<s2w,O0< y<x-2z)} is a finite set of nodes, where 
each node 1s specified by an ordered tnple; L={-D, +D, -A, +A, Ro,..., Ry.7} is a finite set of label; the set E 
of edges is a set of ordered pairs ((x;, y;, Z;), (X;, Y2, Z2)) of nodes from N, and ts the union of the following 


four sets: 
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E; = {((x, y, 2), (x+W, ys Z))(X, YZ) EN, x<w) 

E> = {((x, y, 2), (x, 1, 0))/(x, yz) EN, y+z<2x) 

E3 = {((x, y, 2), (x, y-l, z+1))/(x, y, z) EN, x>z) 

Eg = {((x. y, 2), (x1, y, z))i(x, y, 2) EN, y+ 2<x) 

Es = {((x, y, 2), (x-(w+k), y, z))NX, y, 2) EN, x- (y +2) Sk) 


and the mapping ®©(L <— £) is defined as follows: 


V(x, yz) € E,, B(x, y,z) = -D 


V (x,y,z) € E, O(z,y,z) = +D 
V (x, y, 2) é E., D(x, y, z) = -A 
V (x,y,z) € Ey O(x,y,z) = +A 


V (x,y,z) € Es, (x,y,z) = Rk = |w-xl 


As with the go_back_n analysis, each node of the graph can be thought of as a point in 3- 
dimensional space, with nonnegative, integral coordinates (x,y,z). The structure of the graph is a sequence of 
w+] triangles, one on top of the other, with the largest triangle at the bottom and the smallest is a single point 
--at the top level. 
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Let f(w) be the amount of nodes in a system state graph. The lemmas that support it, for the 


selective repeat protocol are found in (JENS 92]. The graph SR1(w) has f(w) = we + (wt 1)* . The size 


of the graphs according to window size are: 





Test runs were done for and the amount of nodes in each graph were consistent with the table 


above. The specification input files and the output is in Appendices I and J. 
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VI. CONCLUSIONS AND RECOMMENDATIONS 


In this thesis, a program was introduced that analyzed network protocols using the 
CFSM and SCM models. The program was successfully developed in an Ada environment. 
The Ada tools that made implementing the models easier were encapsulation, information 
hiding, generic programming units. 

In Ada, network protocol specifications can be represented in an intuitive manner. The 
finite state machines and the associated predicate action tables were converted to Ada 
language parameters for the analysis. Tre language environment enforces the rules of the 
' protocol as well as the allowable behavior of all the variables. Dynamic construction of 
reachability graphs allowed the user to determine how large or small an analysis should be. 
The protocol designer or engineer that uses this program can quickly become familiar with 
the behavior of the protocol by simply constructing the Ada specification. It is interesting 
to note that due to the automated specification analysis some previous work using the SCM 
model has since been modified. The analysis provides information on occurrences of 
deadlock, unspecified reception, unexecuted transition, and message flow exceeding 
channel capacity. | 

The programming environment provided an adequate platform to develop the 
program. The ability to use encapsulation, information hiding, tasking, and generic code 
allowed the program to be developed in a step-wise, compartmented fashion. The 
availability of a powerful debugger (DBX) enhanced the transition from developing to 
testing the program. To allow for a more transportable product this program might be 
converted to C or C++, so that others may benefit from its use. | 

The program was validated with previous work done on widely used protocols. In 
Lundy’s papers [LUND 88], [LUND 91a], [LUND 91b], [LUND 92a] and [LUND 92b] a 
number of protocols were manually analyzed using the SCM model. A subset of those 
analysis were performed using the program, achieving identical results.It is interesting to 


note that due to the automated analysis of previous work using the SCM model, some 


82 


specifications have had to be modified. In must also be noted that example analysis were 
only done on two machine specifications. 

There are several questions and areas open for further work which remain. An 
important step would be to expand the program to allow for more than two machines. 
Although most protocols can be modelled with two machines, it is a realistic requirement 
to model three or more. The program could be made more interactive with the user, 
allowing the user to change the specification real time when an error occurs. The program 
was developed for use on a workstation, future work could concentrate on PC versions of 
Ada or C/C++. A picture is worth a thousand words; what is done textually can sometimes 
be represented better graphically. A graphical user interface would enhance the users 
ability to specify a protocol and understand the analysis. 

It is important to say that developing this program was FUN. One of the features of 
this automated tool is its understandability. By developing an automated tool it became 
apparent that the user needs to feel comfortable with the lan guage used as well as how a 
specification looks and feels when input for analysis. The results provided by the many runs 
of this program focused attention to where it needed to be- the protocol behavior, not the 


programming language anomalies. 
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The program listing begins on the following page. 
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fadAy voyyrsuel} wsjo yno ut : 
fadAy pio0oda1 a4e4s9 3NO UT : 


UOTJTSURPIAD’ TYUTT*9aIeISH JuarINS 
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= YUTTO'TXUTT*aIeISH JUuaIIND) JT 
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ayeqysy qyuazinS 
ssou 

sueIy 
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doo] 
“SUOTJTSUPIQ PTTPA TOF YOOYS aNTeA T[Nu e aAeY YoU SsaOpP aUTYOeU ay UT 3YePYS YUaTIND ayQ jt-- 
dooyT ({[nu =/ TIepytoy soetd) eTTyM 
s(aqyeas IW) (7) Aerze auTYyoew =: [JapToy aoetd 
doot 
: doo, utew 
fautyt mau 
ayeqysg Tet arut 
a7eIqs ZW 
ajeqs IW 
aqeqysg yuatziNo9S 
349e83S5 JusIed 
ayeisg doq 
a3e 4s _gautyoeu*atdny 9° zaqutod oatdnq duay 
aqyeqjs Toutyoew:atdnq9: Jaqutod atdny duay 
Jaqunu 3a je qs wa ysAs*araqutod | _9tdny ~duay 
zaqutod atdnq dua 
utbaq 


fatdnag*azayutod atdnq dua 

$2 aqyeqs 47e4s 

fT aqeqs .1e 4s 

#a3e84S5 JUdIed 

doy 34} 03 TaquTOd ajeqys quazTINS ayq qas-- faqeqsg doy 
!Taqutod — atdnq ~~ duay 

$Z@_aqeqs yieqs 

atdnq waqsks [Tetatut prtaq-- fT 2384s 21e)s 

Jaqyunods atdny ayq aztpteyatut-- ftaqunos 34e4s9 
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fayeysg Jlasuy pus 
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utbaq 
MUba [Ooq * be{} 10129 
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faqeqsg yutTy] pus 
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<= $I3yIO UsyM 
£(aqeisg yuarzino ‘yoeys JaqutTodsg)usng 
<= sjp USM 
£(aq9e83S5 YUaTIND ‘ananb 3194uUTOd5) ananbug 
<= SJQ uUayYM 
ST yorPas ased 
'(Toqunooe 37e4s9 
‘uoTitsuery[Japroy asoeqtd ‘a 1e 4s9 ~duiaq) a7e is _ qiasu] 
![ 4 daqunos a4e4s5 =: 23aquUN0D | 27e9S9 
3 usy. (TTNu = 97eP ISH puTJ) jt 
f(aqeqsy dwaq ’ajeqsg doq)yatdny 303 yoreas =: 


2 3927P3S5 puTj 
‘{gananb YuaiinNd =: [Z aenanb-aie sg duay 


!7[~ananb YuazINnd =: ZI ananb-aieqysg duay 
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29S[@j =: Mau ST 
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<= SjJp uayn 
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/(1aqunod 37° 3S9 
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{[zananb Yuarino = 
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faut, mau 
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<= $194]0 UAaYs 
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: asta 
24tx9 
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<= SjJq uayM 
ST yoreas aseo 
doo, pua 
‘doo, pua 
:pua 
4x9 
=: ZiaptToy acoet{d 
$(yoead) aUTT, Mau 
-(T <= YaIpIom ‘yaqunu ajeqs waqsdks*ajeysg yuated ‘yoeal) and 
£(, 2399898 3& Tg ananb ut Aqtoeded JTauueyo sy pep|aadsxy .) U2ee1) and 
' {auTT mau 
£(L <= Y3ptm ‘1raqunu ajeqs waqsks*aqeysg uated) and 
f(y 2a 9eas ye [Zz ananb ut Aqytoedes Tauueyo ayy papssoxg aw) and 
<= [T[TNqenano* yoed ananb vay 
‘doo, utew 4Ixa 
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<= [T[NgananO:yoed ananb raqutodyg uays 
uotjdaoxa 
$ytxa 
‘y¥UTTS’ ZIaptToYy aeoetd =: Ziaptoy aoetd 


SyuTTS*Zzaptoy aoetd 
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Or 
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Matthew J. Rothlisberger, 


clear pointers 
10 February 1992 
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File 
Author 
Date 


Revised 


—— oy oem 
-- Compiler 


Version 6.0 


Sun 4 Workstation 


Verdix ADA, 


on 


Clear all pointers to apply to another user input file. 
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f(atdny ‘yutto*pyutt’doy)atdny soy yoreas =: dwaq ~ 
uay. ((anI. = aspou mou'pPRXUTT‘doq) uayy pue (TTNU = dway)) jt 
-J1T pus 
f(atdny ‘yurpto"Exur{’doy)atdny 310y yoreas =: dua 
uey. ((en1. = spou mou'EyXUTT*’doq) Usy. pue ([TTNu = dweay)) jt 
-jJTt pus 
S(atdnq ‘“yutTo°zyut{t’doa)atdny 3a0jy yoresas =: dua 
uay. ((an7q = apou moau-zyut{[’doq) uayy pue ({TTNu = dway)) jt 
JJ} pus 
f(atdna “yuttTo°TyUuT{[°doy)patdny 103 yoress =: Anon 
uay. ((anz = spou mau’ [yUutTT*doy) usyr pue (TTNu = dway)) jt 
asta 
‘doy uinyel 
ueuy ((atdnyg‘doy ‘atdni) Tenbys]) jtste 
f{[au urznqaz 
vaya (T{qu = doy) jr 
utbaq 
fT~mu =: adAq yurt9 : dwaq 
sy adAyQ yUTTDN UINJa1 (adAQ p1r0daz1 3yePISH UT : atdny fadAQ yUTTDN UT : doy)atdny JOJ YOIras vol oOUNj 


ss ee re ee ee ee ee ee ee ee ee ee ee ee ee ee eee er en ee ee eee ee ee ee es es 
=2e2:eroerrr-S-2e2ze2e2-e-2z22eorcC0roccCcC.Cc7.cC7c.CcCc.corc0°2°2°e3s2e2e2eSSSe2e2e2e2eleoreeo0ocCor5FocCcCeoQrrrceeooCocrerceQeoerCrSSrefeQSefeeSSeQeQececeoeSeS2=S2=S2S2SfS2S2SS°SfS=S2SSSSS SSS SSeS =S=— 


“[T[Mu suinyeal asta ‘uot eso, aetdny punojy ayy Jo anten -- 
ZJaqutod e suinqey ‘etdny payeottdnp e toy yderb Ayrzytyqeyoesar ayq syotTeas yeyQ uot IouNy y uotjdi19seqg -- 
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2661 Arzeniqeg oT : ayeq -- 
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-- Revised 


-- System 
-- Cdmpiler 


Default max is 25 lines. 


Version 6.0 
Procedure called when default output screen reaches max. 


Sun 4 Workstation 
Verdix ADA, 


s 
e 
s 
e 
e 
° 


-- Description 


wand )y: 


« 
¢ 


string(1 


natural 


len 


procedure pause output is 
keyboard 
begin 


e 
line (* 


new line 


e 
éc 


ENTER to continue”) 


put 
get 


* 
é 


len) 


line (keyboard, 


put (ASCII.ESC); 


Line(" (23%); 


put | 
end pause output; 
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unprompted pause 


output.a 


Army 


Se 


Ul. 


Captain, 


Rothlisberger, 


10 February 1992 


Matthew J. 


Title 
File 


Author 
Date 


Revised 


-- System 
-- Compiler 


Sun 4 Workstation 


Default max is 25 lines. 


Version 6.0 
Procedure called when default output screen reaches max. 


Verdix ADA, 
User is not prompted for ENTER. 


. 
e 
e 
eo 


-- Description 


1); 


string(] 
natural; 


e 
° 
e 
e 


keyboard 
len 


procedure unprompted pause is 
begin 


e 
¢ 


get line(keyboard, 


new line 


© 
é 


len) 


end unprompted pause 


e 
’ 


separdte (main) 


cintQueve 


utput.a 
Matthew J. Rothlisberger, 


10 February 1992 


P 
oO 


Title 
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APPENDIX C (CFSM) ALTERNATING BIT 
INPUT (FSM) 


start 

machine 1 ------------- MACHINE l]-<--------- 
state l 

trans -X 2 

state 2 

trans +A 3 

state 3 

trans -Y 4 

state 4 

trans. +5 2 
machine 2 -----<-------- MACHINE 2-<<-<<<-=e+eu™ 
state l 

trans +X 2 

State 2 

trans -A 3 

state 3 

trans +Y 4 

state 4 

trans -B l 
initial state 1 1 
Cinisn 
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oOo~ InN & WNe 


OUTPUT 


REACHABILITY ANALYSIS of : output.alt 


Reachability Graph 


(le mee ee eee 7 “lee , AX, &, 1 J 
[2k eae | Cemee « & , & , 2 | 
[Vv Ze eat oe, 20) aoe >, E , Ay 3 ) 
ee 2 a ee fess, 5, £ y 3 |] 
(Seer cere aoe) Seri, Yb, 3 | 
[ete 5 3S | wreie¢ , &, EB, 4 | 
(aera, bo, 4) “ammieo , & , 8B , 1 | 
(4 ees SL ome, EE, 1 ) 
Machine 1 Array Contents 
| From | To | Transition | Executed | 
1 | 2 | snd X | yes | 
2 | Sa rev A | yes 
| 3 | 4 | snd yY | yes | 
| 4 | rev B yes | 
Machine 2 Array Contents | 
| From | To | Transition | Executed | 
| iL | Z| rev xX | yes | 
| 2 | 3 | snd A yes | 
| 3 | 4 | rev, Y¥ | yes | 
| 4 | le Ei) snd 8B yes | 


* The nodes generated by the analysis 
were done in a breadth first manner 
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APPENDIX D (CFSM) SLIDING WINDOW 


INPUT(FSM) 


start 
machine l 
state l 
trans -X 
state 2 
trans +B 
trans -Y 
state 3 
trans +B 
trans +C 
state 4 
trans -Z 
state § 
trans -X 
crans +A 
state 6 
trans +A 
trans +B 
state 7 
trans -Y 
state 8 
trans ~Z 
state 9 
trans +C 
trans +A 
machine 2 
state l 
trans +X 2 
state 2 
trans +Y 3 
state 3 an 
trans -C 4 
state 4 
trans +2 § 

6 


& @ iw ~J) NO 


ce I RO r OV ur 


ren wo 


state § 
trans +X 
state 6 
trans -B ? 
state 7 
trans. +Y 8 
state 8 
trans +Z 9 
state 9 
trans -A l 
initial stave sia. 
finish 
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OUTPUT 


sliding window 


REACHABILITY ANALYSIS of 
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Machine 1 Array Contents 


Executed 


Transition 


TO 


From 


aa ie es. 


Stl Ee 


XMHMUNXAAMHNUAE 
Ur-vsS2SsUU Fr eo oUU > 
cucvvuccvuvVuVuccVuy 
WwW WH te te EH be be 


Nm MODTMNMWANE DWHW 


ANNAIMTMHONHMHWWOM OAADA 


Dd ee ee ee ee ee ee ee eee ee ee 


Machine 2 Array Contents 


Executed {4 


Teansiction 


| To | 


From 


ANMTMNWMr aN 


— oe es ow a ee ow ee 


* The nodes generated by the analysis 


were done ina breadth first manner 
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APPENDIX E (SCM) GO_BACK _N, W=1 


INPUT (FSM) 


start 

machine 1 

state Q 

trans snd_data l 
state l 

trans rev_ack0 0 
machine 2 

state 0 

trans rev_data l 
state l 

trans snd_ack 0 
initial state 0 0 
finish 
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VARIABLE DEFINITIONS 


package definitions is 


type scm_transition_type is (snd_datal, rev_datal, snd_ackl, 
rev_ackl, adv_winl, unused); 

type buffer type ie (al, e, al ji 

type boolean_type as (t,f).: 


type buffer _array type is array(1l..1) of buffer type; 
type boolean_array type is array(1l..1) of boolean type; 


type machinel_ state type is 
record 


state number ' natural sm Q> 
out_buffer > buffer array type := (others=>d1); 
ack_rec ; boolean array type := (others=>f); 
current : INteGer fange il..1 :=21; 

end record; 

type.machine2_state_type is 

record 

state number > natural := 0; 
in butfer : buffer array type := (others=>e) ; 
pkt_rec : boolean_array type := (others=>f); 
current : integer range l..l cate ls 


end record; 
type global variable type is 
record . 
DATA : buffer type := e; 
end record; 


end definitions; 
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PREDICATE-ACTION 


separate (main) 
function Analyze Predicates Machinel(local : machinel_ state type; 
GLOBAL: global _ variable _type) return trans?ttonme 
stack package.stack is 
begin 
MakeEmpty (transition stack); 
if (local.out_buffer(1) /= E) then 
Push (transition_ stack, snd_datal); 
end if; 
if ((local.ack_rec(1)=f£) and GLOBAL.DATA=Al1) then 
Push (transition_stack, rcv_ackl); 
end if; 
Push (transition _stack,adv_winl); 
return transition stack; 
end Analyze Predicates Machinel; 


separate (main) 
function Analyze Predicates Machine2(local : machine2_ state type; 
GLOBAL: global variable type) return transition - 
stack _fackage.stack is 
begin 
MakeEmpty(transition_stack) ; 
if ((GLOBAL.DATA = D1) and (local.pkt_rec(1)=f)) then 
Push (transition_stack, rcv_datal); 
end if; 
if (local.pkt_rec(1)=t) then 
Push (transition_ stack, snd_ackl); 
end if; 
return transition stack; 
end Analyze Predicates Machined; 


separate (main) 


procedure Action(in_system_state : in out Gstate_ record type; 
in transition s in out scm _ transition type; 
out _system state : in out Gstate record type) is 


temp : integer := Q; 4 
begin 
case (inveransicion)mis 
when (snd_datal) => 
out system_state.GLOBAL VARIABLES.DATA := 
in systemescaue:. machinel_ state.out buffer(1); 
when (rev_ ackl) => 
out _system_ state.machinel state.ack rec(l) := t; 
out. _system_state.GLOBAL VARIABLES.DATA := e; 
out system state.machinel state.current := 1; 
when (rev_datal) => 
out _system_ state.machine2 state.in butter (1) >= 
in _system_ state.GLOBAL VARIABLES.DATA; 
out system state.GLOBAL VARIABLES.DATA := G 
out system state. machine2 _state.pkt_ rec(1):= t; 
when (snd_ackl) => 
out _system_state.GLOBAL_ VARIABLES .DATA := al; 
out system _state.machine2 state. pkt rec(1) ss £; 
out. _system_state. machine2 _state.in _buffer(1) := e; 
when (adv _winl) => 
out _system_ state .ma- 
chine] sGate-ack ‘rec(in _system state. machine! scace, cucu es 
when others => 
put_line(“There is an error in the Action procedure 
end case; 
end Action; 


ae 
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OUTPUT FORMAT 


separate (main) 
procedure output Gtuple(tuple : in out Gstate_record type) is 
begin 
poc (~ [(“ & integer’ image (tuple.machinel state.state _number)); 
put(* ,”% & integer’ image (tuple.machine2 _state. state _number) ); 
put(“ , “); 
put (tuple.machinel_ state.out_buffer(1), width => 1); 
put(“ , “); 
put (tuple.machinel_ state.ack_rec(1),width=>2) ; 
put (“ ’ Se 
put (tuple.machine2_state.in_buffer(1), width => 1); 
put(™ , “);¢ 
put (tuple.machine2_state.pkt_rec(1l),width=>2); 
Boe” ,». "): 
put (tuple.GLOBAL VARIABLES.DATA, width =>2); 
ruct™ )");3 
end output Gtuple; 


separate (main) 
procedure output _Gtuple to file(tuple : in out Gstate_ record type; 
counter : in out integer) is 


begin 
put (reach, counter) ; 
put (reach, ” [(“ & integer’ image (tuple.machinel state.state number) ); 


put (reach,” ,” & integer’ image (tuple.machine2_state.state_number)); 
put (reach,” , “):; 
put (reach, tuple. machinel state.out ee width => 1); 
puc(reach,”~ , “); 
put (reach, tuple.machinel state.ack _ree (1), width= a2) ¢ 
pBuc{reach,” , ™); 
put (reach, tuple.machine2_state.in_buffer(1), width => 1); 
Buc(reach,” , ™);3 
put (reach,tuple.machine2_state.pkt_rec(1),width=>2) ; 
puc (reach,” , “); 
put (reach, tuple.GLOBAL VARIABLES.DATA, width =>2); 
put (reach,” ]”);. 
new_line (reach) ; 

end output Gtuple to file; 


separate (main) 


Beeceaure output Gstate node(Gstate pointer : in out Glink type; 
Error flag : im out boolean) is 
begin 
Sutput line count := output line count + 1; 
ee ((output _ ~ line _count mod 10) = 0) then 
scroll pause; 
end if; 


set _col(Gcolumn_set); 
put (Gstate _pointer. System state number, width => 3); 
output _Gtuple (Gstate pointer.Gtuple) ; 
if ((Gstate _pointer. fioki-Glink = null) and then (Gstate pointer.link2.Glink = null) 
and then 
(Gstate pointer.link3.Glink = null) and then (Gstate_ pointer.link4.Glink = null)) 


then 
Error flag := true; 
else 
Error flag := false; 
end if; 


end output _Gstate node; 
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OUTPUT 


REACHABILITY ANALYSIS of : go_back_n_wl 


Global State GRAPH 


0, 0,1, 0, 1 | Eee ieee snd_data 
O, ly, lL, 0, Ly Do pee rev_data 
l,l, 1.193). 2s) -= 1) snd_ack 
0,1, Lyte eee rev_ack0 
0, Led ek yo ee eee ee snd_data 
0,0, 1, 1, 1 | Sa) rev_data 
1, 0 , 0 eee eel snd_ack 
0,9, 1,0,1, E , =a ] rev_ack0 
System State GRAPH 

Os ea snd_data oh | ee 

ve SOUS] rev_data Like ge ae ee 

a _ snd_ack [oedig 2O |) es 

1) iO») rev_ack0 (0, Cele 

| Machine 1 Array Contents | 

| From | To | Transition | Executed | 

| 0 1 | snd_data | yes 

| ih | OQ | revmackO “atl yes | 

| Machine 2 Array Contents | 

| From t To | Transition | Executed | 

| Q 1 {t serev_data | yes | 

| 1 | Q t snd_ack | yes | 
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APPENDIX F (SCM) GO_BACK_N, W=2 


INPUT (FSM) 


start 

machine l 

state 0 

trans snd_data 1 
state l 

trans snd_data 2 
trans rev_ack0 0 
state 2 
Cranseccv ack0 0 
trans rev_ackl 1 
machine 2 

state 0 

trans rev_data l 
state l 

trans rev_data 2 
trans snd_ack 0 
state 2 

trans snd_ack 0 
initial state 0 0 
finish 
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VARIABLE DEFINITIONS 


package definitions is 


type scm_transition_type is (snd_data, rev_data, 
a snd_ack, rev_ackQ, 
rev_ackl, unused); 


type buffer type is (d0,dl,e,a); 
type buffer _array type is array(1..2) of buffer type; 
type seq_array type is array(1l..2) of integer range -1..2; 


type machinel_ state type is 


record 
state_number > natural := 0; 
Sdata : buffer_array type := (d0,dl); 
seq : integer range 0..2 := 0; 
r : integer ranges l..2).= 1; 
end record; 
type machine2_ste«te type is 
record 
state number : matural :={00; 
Rdata : buffer type := e; 
exp : integer range 0..2 := 0; 
: integer cange 22.2 := 2; 


end record; 


type global variable type is 


record 
DATA : buffer_array type = (e,e); 
SEQ : seq array Cype = (-1,-1); 
ACK : integer range -1..2 := <1; 


end record; 


end definitions; 


182 


PREDICATE-ACTION 


separate (main) 
function Analyze Predicates Machinel(local : machinel_state type; 
GLOBAL: global _ variable type) return transition - 
stack _package.stack is 
templ : integer := GLOBAL.ACK + 0; 
temp2 : integer := (GLOBAL.ACK + 1)mod 3; 
begin 
MakeEmpty (transition_stack) ; 
if ((GLOBAL.DATA(local.i) = E) and (GLOBAL.SEQ(local.i) = -1)) then 
Push (transition_stack,snd_data) ; 
end if; 
if ((templ = local.seq) and (GLOBAL.ACK /= -1)) then 
Push (transition stack, rcv_ackQ); 
end if; 
if ({temp2 = local.seq) and (GLOBAL.ACK /= <-1)) then 
Push (transition_stack,rcv_ackl); 
end if; 
return transition_stack; 
end Analyze Predicates _Machinel; 


separate (main) 
function Analyze Predicates Machine2(local : machine2_state_ type; 

GLOBAL: global _ “variable Gyoe) return Cransition — 
stack package.stack is 


begin 
MakeEmpty (transition_stack); 
if ((GLOBAL.DATA(local.j)/=E) and (GLOBAL.SEQ(local.j) = local.exp)) then 
Push(transition_stack,rcv data); 
Price fs 


if (GLOBAL.DATA(local.j)=E) then 
Push (transition_stack, snd_ack); 
end if; 
return transition_stack; 
end Analyze Predicates Machine?2; 


separate (main) 

procedure Action(in_system_state : in out Gstate_ record type; 
in_transition : in out sem transition type; 
culm Systemmsctate : In out Gstate record type) is 


temp : integer := 0; 
begin 
case (in_transition) is 
when (snd_data) => 
out _system_ state.GLOBAL VARIABLES . DATA(in_system_state.machinel state.i) := 
in_system_ state. machinel state.Sdata(in _system_state. machinel state.i); 
out _system_ state.GLOBAL VARIABLES.SEQ(in _system_ state.machinel _state. 1) := 
“in_system state. machinel state. seq; 


if (in_system_state.machinel state.i = 1) then 
out system state.machinel state.i := 2; 
else 
SULm@syawem SCacCe-machinel state.i := 1; 
end if; 
out _system_state.machinel state.seq := (((in_system_state.machinel state.- 


seq) + 1)mod 3); 
when (rev ackQ) => 


out _system_state.GLOBAL VARIABLES.ACK := -1; 
when (rcv_ackl) => 
out _system_ state.GLOBAL VARIABLES.ACK := <1; 
when (snd_ ack) => 
out_system_state.GLOBAL VARIABLES.ACK i eines ySscem state macnineZ state.- 
exp; 
out_system_state.machine2 state.Rdata := e; 
when (rev_data) => 
out _ system _state.machine2 state.Rdata := in_system_state.GLOBAL_ VARI- 


ABLES .DATA(in _system_ state.machine2 state.}); 
out _system_ state.GLOBAL “VARIABLES. DATA(in_system_state.machine2 state.j) := 


E; 
out_system_state.GLOBAL VARIABLES.SEQ (in system state.machine2 state.j) := 
-l; a — _— —_ 
if (in_system_state.machine2 state.j = 1) then 
out system_state.machine2 state.j := 2; 
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else 
out _system_state.machine2_ state.j := 1; 
end if; 


out_system_state.machine2_ state.exp := 
(((in_system_state.machine2_state.exp) + 1)mod 3); 
when others => 
put_line(“There is an error in the Action procedure”) ; 
end case; 
end Action; 
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OUTPUT FORMAT 


separate (main) 
procedure output Gtuple(tuple : in out Gstate_record type) is 


begin 
put (~ (“ & integer’ image (tuple.machinel state.state number) & “™ ,”); 
put (integer’ image (tuple.machine2_state.state_ number) ); 
muct” , ")3 


put (tuple. machinel_ state.seq, width => 1); 
put (* aor) s 
put (tuple.machinel state.i, width => 1); 
put(“ , “)e 
put (tuple.machine2_state.exp, width => 1); 
put(" , “); 
put (tuple.machine2_state.j, width => 1); 
put(“ , “); 
put (tuple.GLOBAL_VARIABLES.DATA(1), width =>3); 
put (tuple.GLOBAL_VARIABLES.SEQ(1),width=>2) ; 
eee a)? 
ee le abet GLOBAL_VARIABLES. DATA(2), width =>3); 
put (tuple.GLOBAL_ ~ VARIABLES.SEQ(2),width=>2) ; 
put (3 mew) 2 
put (tuple. GLOBAL _VARIABLES.ACK, width => 3); 
put (> J”); 

end output Gtuple; 


separate (main) 
procedure output Gtuple to file(tuple : in out Gstate_ record type; 
counter : in out integer) is 


begin 
put (reach, counter); 
put (reach, ” (“ & integer’ image (tuple.machinel state.state Srorcer) Sie: oy 


put (reach, integer’ image (tuple.machine2_state. state _number)); 
puuareacn,” , “); 
put (reach,tuple.machinel_ state.seq, width => 1); 
puc (cveach,” , “); 
put (reach, tuple.machinel state.i, width => 1); 
put (reach,” , “); 
put (reach, tuple.machine2_state.exp, width => 1); 
Putireacn,”~ , “); 
put (reach, tuple.machine2_state.j, width => 1); 
put({reacn,”~ , “); 
put (reach, tuple.GLOBAL_VARIABLES.DATA(1), width =>3); 
put (reach,tuple. GLOBAL _ VARIABLES.SEQ(1),width=>2) ; 
mutireach,”~ , “); 
put (reach, tuple.GLOBAL_ VARIABLES .DATA(2), width =>3); 
put (reach, tuple.GLOBAL_ VARIABLES.SEQ(2),width=>2); 
put (reach,” ,”); 
put (reach, tuple.GLOBAL_VARIABLES.ACK, width => 3); 
Bucireacn,”~ |”); 
new line (reach) ; 

end output Gtuple to file; 


separate (main) 


procedure output _Gstate_ node(Gstate pointer : in out Glink_type; 
Eencor flag : in out boolean) is 
begin 
output _line_count := output_line_ count + 1; 
af ((output _ ~ line _count mod 10) = 0) then 
scroll _ pause; 
end if; 


set_col (Gcolumn_set); 
put (Gstate_ pointer. system_state number, width => 3); 
output Gtuple(Gstate _pointer.Gtuple) ; 
if ((Gstate _pointer.link1l.Glink = null) and then (Gstate_pointer.link2.Glink = null) 
and then 
(Gstate_pointer.link3.Glink = null) and then (Gstate_pointer.link4.Glink = null)) 


then 
Error flag := true; 
else - 
Error flag := false; 
end if; 


end output Gstate node; 
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OUTPUT 


REACHABILITY ANALYSIS of : go_back_n_w2 
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snd_data 
snd_data 
rcv_data 
rev_data 
rev_ data 
snd_ack 

rev_ack0 
snd_data 
snd_ack 

rev_ack0 
snd_data 
rev_ackl 
rev_data 
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snd_ack 


snd data 
snd data 
rev_ack0 
rev_ack0 
rev_ackl 


rcv data 
rcv data 
snd _ ack 
snd_ack 
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rcv_ack0 
snd_data 
snd_data 
snd_data 
rcev_data 
rev_data 
rev_data 
snd_ack 

rev_ack0 
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rev_ackQ 
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rev_ackl 
snd_ack 

rev_ackl 
rev_data 
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APPENDIX G (SCM) GO_BACK_N, W=3 


INPUT (FSM) 


start 

machine 1 
state 0 

trans snd_data 
state l 

trans rev_ack0 
trans snd_data 
state 2 

trans rev_ack0 
trans rev_ackl 
trans snd_data 
State 3 

trans rev_ack0 
trans rev_ackl 
trans rev_ack2 
machine 2 
state 0 

trans rcev_data 1 
State l 

trans rcev_data 2 
trans snd_ack 0 
state 2 

trans rev_data 3 
trans snd_ack 0 
State 3 

trans snd_ack 0 
initial state 0 0 
finish 
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VARIABLE DEFINITIONS 


package definitions is 

type scm_transition_type is (snd_data, rev_data, 
sna ack, xrev_ackd, 
rev_ackl, rev_ack2, unused) ; 

type buffer type is (d0, dal az,e, a); 

type buffer_array type is array(1..3) of buffer_type; 

type seq_array type is array(1..3) of integer range -1..3; 

type machinel_state_type is 

record 


state_number natural := 0; 


Sdata : buffer array type := (d0,d1,d2); 
seq : integer range 0..3 := 0; 
He : integer range 1..3 := l; 


end record; 


type 


machine2 state type is 


record 


state_number Matural := 0; 


Rdata ; buffer type := e; 
exp : integer range 0..3 := 0; 
: integer range 1..3 := 1; 


end record; 


type global variable type is 
record e 
DATA : buffer_array type 7= (e,e,e); 
SEQ > seq_array type = (-1,-1,-1); 
ACK : integer range -1..3 := <1; 
end record; : 


end definitions; 
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PREDICATE-ACTION 


separate (main) 


funct 


ion Analyze_Predicates Machinel(local : machinel_ state type; 
GLOBAL: global_variable type) return transition - 


stack _package.stack is 


begin 


templ : integer := GLOBAL.ACK + Q; 
temp2 :; integer := (GLOBAL.ACK + 1)mod 4; 
temp3 : integer := (GLOBAL.ACK + 2)mod 4; 


MakeEmpty (transition stack) ; 

if ((GLOBAL.DATA(local.i) = E) and (GLOBAL.SEQ(local.i) = -1)) then 
Push (transition _stack,snd_data); 

end if; 

if ((templ = local.seq) and (GLOBAL.ACK /= -1)) then 
Push (transition stack, rcv_ackQ); 

end if; 

de ((temp2 = local.seq) and (GLOBAL.ACK /= -1)) then 
Push (transition_stack, rev_ackl); 

end if; 

if ((temp3 = local.seq) and (GLOBAL.ACK /= -1)) then 
Push (transition stack, rev_ack2) ; 

end if; 

return transition stack; 


end Analyze Predicates Machinel; 


separate (main) 


functi 


stack 
begin 


ion Analyze Predicates Machine2(local : machine2_ state type; 
GLOBAL: global_variable_type) return transition _- 


_package.stack Ils 


MakeEmpty (transition_stack) ; 
if ((GLOBAL.DATA(local.j)/=E) and (GLOBAL.SEQ(local.j) = local.exp)) then 
Push (transition stack, rev_data); 


end if; 
if (GLOBAL.DATA(local.j)=E) then 

Push (transition Stack, snd sacx); ; 
end if; 


retucnm Cransition stack, 


end Analyze Predicates Machine2; -- this returned value is then checked against the 
machine arrays 


-- to determine if indeed this transition can be 


taken 

separate (main) 

procedure Action(in_system_ state : in out Gstate record type; 
in_transition ; in QUE (scm Cransie tone yee. 
out _ system_state : in out Gstate record type) is 


begin 


seq) 


temp : integer := Q; 


¢ase (in transition) is 
when (snd _data) => 
out _system_ state.GLOBAL VARIABLES.DATA(in_system_state.machinel state.i) := 
in_system_state. machinel state.Sdata(in _SYstemestacte. machinel state.i); 
out _system_ state.GLOBAL VARIABLES.SEQ(in ay=oe state.machinel _state. i) := 
“in SSystempseace. machinel Jstate ose, : 
begin 
case (in system stCaCe-machine buscace mace 
when 1 => a 
out .system_ state.machinel (state 7 aa 
when 2 => 
out_system_state.machinel state.1 := 3; 
when 3 => 7 
out _system_state.machinel_state.i := 1; 
when others => 
nul 
end case; 
end; 
out system_state.machinel state.seq := (((in_ system state.machinel stators 
+ l)mod 4); 
when (rev_ackQ) => 
out system _state.GLOBAL VARIABLES.ACK := -1; 
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when (rcv_ackl) => 
out _system_ state.GLOBAL_VARIABLES. ACK 
when (rev | ack2) => 
out _system_ state.GLOBAL_VARIABLES.ACK 
when (snd_ ack) => 
out system state.GLOBAL_VARIABLES.ACK 
exp; 
out_system_state.machine2_ state.Rdata 
when (reve data) => 
out _system_ state.machine2_ state.Rdata 
ABLES .DATA (in _system_ state.machine2 state.j); 


om = 17 
:= -l; 
sm in_system_state.machine2 state.- 


:= e; 


it 


in_system_state.GLOBAL_VARI~ 


e 
e 


out _system_state.GLOBAL_ ~ VARIABLES.DATA(in _system_state.machine2 state.j) := 


out_system_state.GLOBAL_ VARIABLES.SEQ (in_system_state.machine2_state.j) := 


begin 


case (in_system_state.machine2 state.j) is 


when 1 => 


out_system_state.machine2_ state. j 


when 2 => 


out 2735 em state.machine2_ state. j 


when 3 


BU sscate maenieeoec sce := 


when others => 
rues 
end case; 
end; 
out_system_state.machine2 state.exp := 
exp) + 1)mod 4); 
when others => 


ul it 
~ iw No 
se 


=< 


ee 
@. 


((({in_system_state.machine2_state.- 


put_line(“There is an error in the Action procedure”) ; 


end case; 
end Action; 
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OUTPUT FORMAT 


separate (main) 
procedure output _Gtuple(tuple : in out Gstate record type) is 
begin 
put (* (“ & integer’ image (tuple.machinel_ state.state number) & “* ,”); 
put (integer’ image (tuple.machine2_state.state_number) ) ; 
PUG 7s 
put (tuple.machinel state.seq, width => 1); 
put(™ , “); 
put (tuple.machinel state.i, width => 1); 
put (Sage) ; 
put (tuple.machine2 state.exp, width => 1); 
put (* eo 
put (tuple.machine2_ state.j, width => 1); 
PUC (Ce eae 
put (tuple.GLOBAL_VARIABLES.DATA(1), width =>3); 
put (tuple.GLOBAL_VARIABLES.SEQ(1), width=>2) ; 
put(“ , “); 
put (tuple.GLOBAL_VARIABLES.DATA(2), width =>3); 
put (tuple.GLOBAL_VARIABLES.SEQ (2), width=>2) ; 
put (~ 28 
put (tuple.GLOBAL_VARIABLES.DATA(3), width =>3); 
put (tuple.GLOBAL_VARIABLES.SEQ(3),width=>2) ; 
put (=, 3. 
put (tuple.GLOBAL_ VARIABLES.ACK, width => 3); 
PUSS Ir) 
end output Gtuple; 


separate (main) 
procedure output Gtuple to file(tuple : in out Gstate record type; 
counter : in out integer) is 


begin 
put (reach, counter) ; 
put (reach, ” [(“ & integer’ image(tuple.machinel state.state number) & “ ,”); 


put (reach, integer’ image (tuple.machine2_state.state number) ); 
puc (reach, ~. 772); 
put (reach, tuple.machinel state.seq, width => 1); 
put-(reach," 7, ae: 
put (reach, tuple.machinel_ state.i, width => 1); 
put (reacn,- «7.5.4 
put (reach, tuple.machine2 state.exp, width => 1); 
put (reach, | “)>; 
put (réach, tuple .machine2 state.), widehe= 2s), 
put (reach,” , ~); 
put (reach, tuple.GLOBAL VARIABLES.DATA(1), width =>3); 
put (reach, tuple.GLOBAL VARIABLES.SEQ(1),width=>2); 
put (reach, ,. ~)i; 
put (reach, tuple.GLOBAL VARIABLES.DATA(2), width =>3); 
put (reach, tuple.GLOBAL VARIABLES.SEQ(2),width=>2) ; 
put (reach, *=, 7); 
put (reach, tuple.GLOBAL VARIABLES.DATA(3), width =>3); 
put (reach, tuple.GLOBAL VARIABLES.SEQ(3),width=>2);. 
put (reaen,~ ,°) 
put (reach, tuple.GLOBAL_VARIABLES.ACK, width => 3); 
put (reach,” ]%); 
new_line (reach) ; 

end output Gtuple to file; 


separate (main) 
procedure output _Gstate node(Gstate pointer : in out Glink _type; 


Error flag : in out boolean) is 
begin 
output line _ count := output _line_ count + 1; 
if ((output line count mod 10) = 0) then 
scroll pause; 
end if; 


set _col(Gcolumn_set); 
put (Gstate pointer.system_state number, width => 3); 
output Gtuple(Gstate pointer.Gtuple) ; . 
if ((Gstate pointer.linkl.Glink = null) and chen (Gstate pointer.link2.Glink = nulTl) 
and then 
(Gstate_pointer.link3.Glink = null) and then (Gstate pointer.link4.Glink = null)) 
then ; 
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Error_flag := true; 
else 

Error flag := false; 
end if; 
end output_Gstate_node; 
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APPENDIX H (SCM) GO_BACK_N, W=4 


INPUT (FSM) 


start 

machine 1 
state 0 

trans snd data 
state l 

trans rev_ack0 
trans snd data 
state 2 

trans rev_ack0 
trans rev_ackl 
trans snd data 
state 3 

trans rev_ack0 
trans rev_ackl 
trans rev_ack2 
trans snd data 
state 4 

trans rev_ack0 
trans rcv_ackl 
trans rev_ack2 
trans rev_ack3 
machine 2 
state 0 

trans rcev_data 1 
state 1 

trans rev_data 2 
trans snd_ack 0 
state 2 

trans rev_data 3 
trans snd ack 0 
state 3 

trans rcv data 4 
Crans snd ack 0 
state 4 

trans snd_ack 0 
initaarsscace 0-0 
finish 
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VARIABLE DEFINITIONS 


package definitions is 


type scm transition type is (snd_data, rcv _data, 
snd_ack, rev_ack0, 

rev_ackl, rev_ackd, 
rev_ack3, unused); 


type buffer type is (d0,dl,d2,d37e 7416 
type buffer array type is array(1l..4) of buffer type; 
type seq array type is array(1..4) of integer range -1..4; 


type machinel state type is 


record 
state number : matural := 0; 
Sdata : buffer_array type := (d0,dl,d2,d3); 
seq : integer range 0..4 := Q; 
i : integer range 1..4 := 1; 
end record; 
type machine2_state_type is 
record 
state number > matural := Q; 
Rdata : buffer type := e; 
exp : imteger range 0..4 := 0; 
j : integer range 1..4 := 1; 


end record; 


type global variable type is 


record 
DATA : buffer array type = (e,e,e,e); 
SEQ > seq_array Cype = (-l1,-1,-1,-1); 
ACK : integer range -1..4 :2 -1l; 


end record; 


end definitions; 
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PREDICATE-ACTION 


separate (main) 
function Analyze Predicates_Machinel(local : machinel_ state type; 


GLOBAL: global _ variable type) return transition _- 


stack _package.stack is 


begin 


templ : integer GLOBAL.ACK + 0; 


temp2 ;: integer := (GLOBAL.ACK + 1)mod 5; 
temp3 : integer := (GLOBAL.ACK + 2)mod 5; 
temp4 ;: integer := (GLOBAL.ACK + 3)mod 5; 


MakeEmpty (transition_stack) ; 

if ((GLOBAL.DATA(local.i) = E) and (GLOBAL.SEQ(local.i) = -1)) then 
Push(transition_stack,snd_data); 

end if; 

if ((templ = local.seq) and (GLOBAL.ACK /= -1)) then 
Push(transition_stack, rcv_ack0Q); 

end if; 

if ((temp2 = local.seq) and (GLOBAL.ACK /= -1)) then 
Push (transition_stack,rev_ackl); 

end -if; 

if ((temp3 = local.seq) and (GLOBAL.ACK /= -1)) then 
Push(transition_stack, rcv_ack2); 

end if; 

if ((temp4 = local.seq) and (GLOBAL.ACK /= -1)) then 
Push (transition_stack, rcv_ack3); 

end if; 

return transition_stack; 


end Analyze Predicates Machinel; 


separate (main) 
function Analyze Predicates Machine2(local : machine2_state type; 


stack_ 


begin 


GLOBAL: global variable type) return transition - 


package.stack is 

MakeEmpty (transition_stack) ; 

if ((GLOBAL.DATA(local.j)/=E) and (GLOBAL.SEQ(local.j) = local.exp)) then 
Push(transition_ stack, rcv_data); 

end if; 


if (GLOBAL.DATA(local.j)=E) then 
Push (transition_stack,snd_ ack); 

end if; 

return transition stack; 


end Analyze Predicates Machine2; 


separate (main) 
procedure Action(in_system_state : in out Gstate_record type; 


begin 


in_transition: in out scm_transition_type; 
GUCESystemotate > Tin Out Gstate record type) is 


temp : integer s= 0; 


case (in transition) is 
when (snd_data) => 

out _system_ state.GLOBAL VARIABLES.DATA(in _system_ state. machinel state.i) := 
in _system_ state.machinel state.Sdata(in Hsysctem state. machinel state.i); 

out _system_ state.GLOBAL VARIABLES.SEQ(in _system_ state.machinel _state. 1) <= 
in_system_state. machinel __ state.seq; 

begin — 

Ease deayscem state. machine leswate.1) 1s 
when I => 


out system state.machinel state.i s= 2; 
when 2 => 

out ofS stacte.machinel state.i := 3; 
when 3 

out Bee State.machinel state.i := 4; 
when 4_ a ip 

out _system_state.machinel state.i := 1; 


when others => 
nul 1; 
end case; 
end; 
out _ system_state.machinel state.seq := 
(((in_system_state.machinel state.seq) + 1)mod 5); 
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when (rcv_ack0) => 

out system state.GLOBAL VARIABLES.ACK := -1; 
when (r¢ev_ackl) => 

out _system_ state.GLOBAL VARIABLES.ACK := -1; 
when (rov_ ack2) => 

out _system_ state.GLOBAL VARIABLES.ACK := -1; 
when (Sev ack3) => 

out _system_ state.GLOBAL VARIABLES.ACK := -1; 
when (snd_ack) => 

out_system_state.GLOBAL_ VARIABLES .ACK >= in_system_state.machine2_ state.- 


exp; 
out _system_state.machine2_state.Rdata := e; 
when (rcv_ data) => 
out _system_ state.machine2 state.Rdata := 
“in _system_ state.GLOBAL VARIABLES. 
DATA(in_system_state.machine2_state.j); 
out system state. GLOBAL _VARIABLES. DATA(in_system_state.machine2_state.j) := 


E; 
out _system_state.GLOBAL_VARIABLES.SEQ (in_system_state.machine2 state.j) := 
sls 
begin 
case (in_system_state.machine2 ctate.j) is 
when 1 => 
out =e state.machine2 state.j := 2; 
when 2. 
cut systen (aeme anemia ome eam = 3; 


when 3 => 
out _system_state.machine2_ state.j := 4 
when 4 => 
out system _state.machine2 state.j := 1 
when others => 
Aue 
end case; 
end; 
out_system_state.machine2 state.exp := (((in_system_state.machine2_ state. 
exp) + 1)mod 5); 
when others => 
puc_line(“There is an error in the Action procedure”); 
end case; a 
end Action; 


ee 


ee 


204 


OUTPUT FORMAT 


separate (main) 
procedure output _Gtuple(tuple : in out Gstate_record type) is 
begin ° 
ce (* (“ & integer’ image(tuple.machinel_ state.state number) & “ ,”); 
put (integer’ image (tuple.machine2_ state.state_number) ); 
muet , °)s 
put (tuple.machinel_state.seq, width => 1); 
poc(™ , ~); 
put (tuple.machinel_state.i, width => 1); 
pac yg) SF 
put (tuple. machine2_ State.exp, width => 1); 
pact’ , )? 
put (tuple.machine2_state.j, width => 1); 
put — , me 
put (tuple. GLOBAL_ VARIABLES .DATA(1), width =>3); 
put (tuple. GLOBAL_VARIABLES. SEQ (1), width=>2); 
put(™ , “); 
put (tuple.GLOBAL VARIABLES.DATA(2), width =>3); 
put (tuple.GLOBAL _ ~ VARIABLES .SEQ(2),width=>2) ; 
par 4 )s 
put (tuple.GLOBAL VARIABLES.DATA(3), width =>3); 
put (tuple. GLOBAL _ VARIABLES .SEQ(3) ,width=>2) ; 
muc(” .”); 
put (tuple. GLOBAL VARIABLES .DATA(4), width =>3); 
put (tuple. GLOBAL _ VARIABLES .SEQ (4) ,width=>2) ; 
put (* ,%); 
put (tuple. GLOBAL __ VARIABLES .ACK, width => 3); 
pou, «6 ") > 
end output Gtuple; 


separate (main) 
Proceaure output Gtuple to file(tuple : in out Gstate_record_type; 
counter : in out integer) is 


begin 
put (reach, counter) ; 
put (reach,” {(“ & integer’ image(tuple.machinel_state.state_number) & “ ,”); 


put (reach, integer’ image (tuple.machine2_ state.state number) ); 
pue(reach,” , “); 
put (reach,tuple.machinel state.seq, width => 1); 
mpuewreach,” , “)>; 
put (reach, tuple. machinel_state.i, width => 1); 
putireach,” , ; 
put (reach,tuple. machine2 _state.exp, width => 1); 
pucareach,” , “): 
put (reach,tuple.machine2 state.j, width => 1); 
Becwreach,” , “); 
put (reach, tuple.GLOBAL VARIABLES. DATA(1), width =>3); 
put (reach,tuple. GLOBAL VARIABLES. SEQ(1),width=>2); 
Bucireach,” , “); 
put (reach, tuple.GLOBAL VARIABLES.DATA(2), width =>3); 
put (reach,tuple. GLOBAL _ VARIABLES ..SEQ(2),width=>2) ; 
maerreach,” ,*); 
put (reach, tuple.GLOBAL_VARIABLES .DATA(3), width =>3); 
put (reach, tuple.GLOBAL_ VARIABLES .SEQ(3),width=>2); 
putareach,”~ ,*); 
put (reach, tuple. GLOBAL _VARIABLES. ACK, width => 3); 
Maeireach,” |”); 
new_line (reach) ; . 

end output Gtuple to file; 


separate (main) 


procedure output Gstate node(Gstate pointer : in out Glink type; 
Error flag : im out boolean) is 
begin 
output _line_count := output line count + 1; 
et [output ~ line _count mod 10) = 0) then 
scroll _pause; 
end if; 


set_col (Gcolumn_set); 

put (Gstate _pointer. System state number, width => 3); 

output _Gtuple(Gstate pointer.Gtuple) ; 

af ({Gstate _pointer.Link1.Glink = null) and then (Gstate _pointer.link2.Glink = 
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and then 


(Gstate_pointer.link3.Glink = null) and then 
then 
Error_flag := true; 
else 
Error flag := false; 
eend ifs 


end output_Gstate_ node; 
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| From | To | Transition | Executed | 
| 0 | 1 | snd_data | yes | 
| 1 | 0 | rev_ackd | yes | 
| a | 2 | snd_data | yes | 
| 2 | 0 | rev_ack0 | yes | 
| 2 | Il, rcv_ackl yes | 
| a | 3 | snd_data | yes | 
| 3 | 0 | rev_ackdO | yes | 
| 3 | i | teveacks | yes | 
| 5 | 2 Beli BaGVack2 | yes | 
3 | 4 | snd_data | yes | 
| 4 | QO | rev_ackd yes | 
| 4 | Z| SreveaekL | yes | 
| 4 | 2 | rev_ack2 | yes | 
| 4 3. | £eviacks | yes | 


| From | To | Transition | Executed | 
| 0 | 1 | rev_data yes | 
| 1 | 2 | rev_data | yes | 
| 1 | 0 | snd_ack yes | 
| 2 | 3 | xrev_data | yes | 
| 2 | 0 | snd_ack | yes | 
| 2 | 4 | rev_data | yes | 
3 | Ol sadsack. | yes | 
| 4 | QO | snd_ack | yes | 
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APPENDIX I (SCM) SELECTIVE REPEAT, W=1 


INPUT 


start 

machine 1 

state 0 

trans snd_datal 1 
state l 

trans rev_ackl 2 
state 2 

trans adv_winl 0 
machine 2 

state Q 

trans rev_datal 1 
state l 

trans snd_ackl 0 
initYale statescas 
finish 
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VARIABLE DEFINITIONS 


package definitions is 


type scm_transition_type is (snd_datal, rev_datal, snd_ackl, 


rev_ackl, adv_winl, unused); 
type buffer type isu(dlve al) ; 
type boolean_type Seen) 7 


type buffer_array type is array(l..1) of buffer type; 
type boolean_array type is array(1l..1) of boolean type; 


type machinel_state type is 


record 
State _number : natural := 0; 
out_buffer : buffer_array_ type := (others=>dl1) ; 
ack_rec : boolean_array_ type := (others=>f); 
current : integer range 1..1 := 1; 


end record; 


type machine2_ state type is 


record 
state number 2: natural 02 
in_buffer : buffer_array type s= (others=>e) ; 
pkt_rec : boolean_array type := (others=>f); 
current : integer range l..1l o— ) 7 
end record; 
type global variable type is 
record 
DATA : buffer_type := e; 


end record; 


end definitions; 


Zao 


PREDICATE-ACTION 


separate (main) 
function Analyze Predicates Machinel(local : machinel_state type; 
GLOBAL: global_variable type) return transition - 
stack package.stack is 
kRegin 
MakeEmpty (transition stack); 
if (local.out_buffer(1) /= E) then 
Push (transition_ stack, snd_datal); 
end if; 
if ((local.ack_rec(1)=f) and GLOBAL.DATA=Al1) then 
Push (transition_stack, rev_ackl); 
end if; 
Push (transition _stack,adv_winl); 
return transition stack; 
end Analyze Predicates Machinel; 


separate (main) 
function Analyze_Predicates_Machine2(local : machine2_state type; 
GLOBAL: global_variable_ type) return transition = 
stack package.stack is 
begin 
MakeEmpty (transition_stack); 
if ((GLOBAL.DATA = D1) and (local.pkt_rec(1)=f)) then 
Push(transition stack, rev_datal); 
end if; 
if ({local.pkt_rec(1l)=t) then 
Push (transition_stack, snd_ackl); 
end if; 
return transition stack; 
end Analyze Predicates Machine2; -- this returned value is then checked against the 
machine arrays 
-- to determine if indeed this transition can be 
taken 


separate (main) 


procedure Action(in system state =: in OCuUENGstatemrecor duty ce. 
in streansicticn ; LN OUE SCm transitions type, 
out system state : in out Gstate record type) is 


temp : integer := 0; 
begin 
case (in transition) is 
when (snd_datal) => 
out _system_state.GLOBAL VARIABLES.DATA := 
inesystemuscace. machinel _state.out_buffer(1); 
when (rev_ ackl) => 
out _system_ state.machinel state.ack rec(l 
out. _system state.GLOBAL _ VARIABLES.DATA : 
out system state.macninel state.current 
when (rev_datal) => 
out _system_ State.machine2 state.in buffer(1) := 
in _system_ state.GLOBAL VARIABLES.DATA; 
out _system_ state.GLOBAL VARIABLES.DATA := e; 
out_system_ state. machine2 -Statespkt (rec()) =) 2, 
when (snd ackl) => 
out_system state.GLOBAL VARIABLES.DATA := al; 
out system_state.machined state. pkt rec(l) := £€; 
out _system_state.machine2 state.in_buffer(1l) := e; 
when (adv_ winl) => 
out_system_state.ma- 
chinel_state.ack rec(in system state.macnhinel State currenG ne oe. 
when others => 
put_line(“There is an error in the Action procedure”); 
end case; 
end Action; 
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OUTPUT FORMAT 


separate (main) 
procedure output Gtuple(tuple : in out Gstate record type) is 
begin 
“put (* [“ & integer’ image (tuple.machinel_ state.state number)); 
put(* ,” & integer’ image (tuple.machine2_ state.state number) ); 
euci” , “); 
put (tuple.machinel_state.out_buffer(1l), width => 1); 
puc (* ae 
put (tuple.machinel_state.ack_rec(1),width=>2); 
BUc(~ , “); 
put (tuple.machine2_state.in_ buffer(l), width => 1); 
puct” , “); 
put (tuple.machine2_state.pkt_rec(1),width=>2) ; 
put(* , mys a 
put (tuple. GLOBAL_VARIABLES.DATA, width =>2); 
puck” |”); 
end output _Gtuple; 


separate (main) 
procedure output Gtuple to file(tuple : in out Gstate_ record type; 
counter : in out integer) is 


begin 
put (reach, counter) ; 
put (reach,” (“ & integer’ image (tuple.machinel_ state.state_number)); 


put(reach,” ,” & integer’ image(tuple.machine2_state.state number) ); 
puc(reach,” , “); 
put (reach,tuple.machinel_ state.out_buffer(1), width => 1); 
puc(reach,” , “); 
put (reach,tuple.machinel_ state.ack_rec(1),width=>2); 
puct(reach,” , “)> 
put (reach,tuple.machine2_state.in_buffer(1), width => 1); 
put (reach,” , “); 
put (reach,tuple.machine2 state.pkt_ rec(1),width=>2) ; 
puc(reach,” , “); 
put (reach, tuple.GLOBAL_ VARIABLES .DATA, width =>2); 
put(reach,” ]”); 
new_line(reach); 

end output Gtuple to file; 


separate (main) 
procedure output Gstate node(Gstate pointer : in out Glink_type; 


EELOr _flag : in out boolean) is 
begin 
output line count := output line eount =f cl; 
i ((output_ _line_ count mod 10) = 0) then 
scroll pause; 
end if; 


set_col(Gcolumn_set); 
put (Gstate pointer.system_ state number, width => 3); 
output Gtuple(Gstate pointer.Gtuple); 
if ((Gstate _pointer. Tinkl.Glink = null) and then (Gstate pointer.link2.Glink = null) 
and then 
(Gstate pointer.link3.Glink = null) and then (Gstate pointer.link4.Glink = null)) 


then 
Error flag := true; 
else - 
Error flag := false; 
end if; 


end output Gstate_ node; 
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| Machine 1 Array Contents 

| From | To | Transition |! Executed | 

| 0 1 | snd_datal | yes | 

| 1 | 2 i) zeveacks | yes | 

| 2 | 0 | adv_winl | yes | 

| Machine 2 Array Contents | 

| From | To | Transition | Executed | 

| 0 | 1 | rev_datal | yes | 

| i: | 0 | snd_ackl | yes | 
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APPENDIX J (SCM) SELECTIVE REPEAT, W=2 


INPUT (FSM) 


start 

machine 1 

state 0 

trans snd_datal 1 
state l 

trans rev_ackl 2 
state 2 

trans adv_winl 0 
machine 2 

state 0 

trans rev_datal 1 
state 1 

trans snd_ackl 0 
initial state 0 0 
finish 
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VARIABLE DEFINITIONS 


package definitions is 


type scm_transition_type is (snd_data, rcev_data, 
snd_ack, rev_ack, 
adv_winl, unused); 

type buffer type is (dl,d2,e,al,a2); 

type boolean _ type is) (ee, 

subtype ack buffer type is buffer_type range e..a2; 

subtype data buffer type is buffer_type range dl..e; 


type ack array type is array(1l..2) of ack buffer type; 
type data_array type is array(1..2) of data_buffer type; 


type boolean_array type is array(1..2) of boolean type; 


type machinel state type is 


record 
state_number : natural := 0; 
out_buffer : data_array type s= (dlgdZiy; 
ack rec : boolean_array type := (others=>f); 
current : integer range 1..2 := 1; 
hold : boolean _type s= {; 
end record; 
type machine2_ state type is 
record 
state number 2 natural ¢2 70; 
in_buffer : data_array type := (others=>e); 
pkt rec : boolean_array type = (others=>f); 


end record: 


type global variable type is 


record 
DATA : data _array type := (others=>e); 
CONTROL > ack array type = (others=>e) ; 


end record; 


end definitions; 
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PREDICATE-ACTION 


separate (main) 
function Analyze Predicates _Machinel (local : machinel_state type; 
GLOBAL: global variable etyeeiececurn transition - 
stack_package.stack is 
begin 
MakeEmpty (transition stack); 
if (((local.hold = f£) and (local.out_buffer(1) /= E) and (GLOBAL.DATA(1)=E)) or 


((local.hold = f£) and (local.out_buffer(2) /= E) and (GLOBAL.DATA(2)=E))) then 
Push (transition_stack,snd_data) ; 

end if; 

if (((local.ack_rec(1l)=f£) and (GLOBAL.CONTROL(1) = Al)) or 
((local.ack_rec(2)=f) and (GLOBAL.CONTROL(2) = A2))) then 


Push (transition_stack, rcv_ack); 
end if; 
Push (transition stack,adv_winl); 
return transition_stack; 
end Analyze Predicates Machinel; 


separate (main) 
function Analyze Predicates Machine2(local : machine2_state_ type; 
GLOBAL: global_variable type) return transition _- 
stack _package.stack is 
begin 
MakeEmpty (transition_stack) ; 
if (((GLOBAL.DATA(1) = D1) and (GLOBAL.DATA(2) = E) and (local.pkt_rec(1)=f)) or 


((GLOBAL.DATA(1) = E) and (GLOBAL.DATA(2) = D2) and (local.pkt_ ~rec(2)=f)) or 
((GLOBAL.DATA(1) = Dl) and (GLOBAL.DATA(2) = D2) and (local. Bee. rec(l)=t) and 
(local.pkt rec(2) =f) ) or 


((GLOBAL.DATA(1) = Dl) and (GLOBAL.DATA(2) = D2) and (local.pkt_rec(l)=f) and 
(local.pkt_rec(2)=f))) then 
Push (transition_stack,rcv_data); 


end if; 
if (((GLOBAL.CONTROL(1)=E) and (local.pkt_rec(1)=t)) or 
((GLOBAL.CONTROL(2)=E) and (local.pkt_rec(2)=t))) then 
Push (transition stack, snd_ack); 
end if; 


return transition stack; 
end Analyze Predicates Machine2; -- this returned value is then checked against the 
machine arrays 
~- to determine if indeed this transition can be 
taken 


separate (main) 

meeeeaure Action(in system state : in out Gstate record type; 
in trans? cion s in out sem transition _type; 
out system_state ; in out Gstate_ record _type) is 


temp : integer := 0; 
begin 
ease (in Cransition) is 
when (snd_data) => 
out _system_state.GLOBAL VARIABLES.- 
DATA(in_system_state.machinel_state.current) := 
in_system_ state.machinel state. out a= 
buffer(in_system state.machinel state.current); 
out _ system state. machinel state. CUmBENC °<= in system state.machinel state.- 
current; 
begin 
case (in_system_state.machinel state.current) is 
when 1 => 
out _ system _state.machinel state.current := 2; 
when 2 => 7 
“-out_ system state.machinel state.current := 1; 
out _system_ state.machinel_state.hold := t; 
when others => 
put_line(“error in the action procedure”); 
end case; 


end; 
when (rcv_ack) => 
if (in_system_state.GLOBAL VARIABLES.CONTROL(1)=Al) then 
out system state. machinel state.ack rec(l) := t; 


‘out _system state.GLOBAL VARIABLES.CONTROL(1) := e; 
out_system state. machinel state.current := 1; 
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else 
if (in_system_state.GLOBAL_VARIABLES.CONTROL(2)=A2) then 
out _system_state. machinel state.ack rec(2) := t; 
out | _system_state.GLOBAL_ VARIABLES.CONTROL(2) := e; 
out “system_ state. machinel_ state.current := 2; 
end if; 
end if; 
when (rcev_data) => 
if (in_system_state.GLOBAL_VARIABLES.DATA(1) = D1) then 
out _system_ state.machine2 state.in _ouffer(1) := 
in_system_state.GLOBAL ~ VARIABLES.DATA(1); 
out _system_ state.GLOBAL VARIABLES.DATA(1) := e 
out system state. machine2_state.pkt_rec(1l):= t; 
else 
if (in_system_state.GLOBAL VARIABLES.DATA(2) = D2) then 
out _system_ state.machine2 state.in_buffer(2) := 
in_system_state.GLOBAL VARIABLES .DATA (2) ; 
out. _system_state. GLOBAL _VARIABLES .DATA(2) := e; 
Outmeystem state. machine2_ state.pkt rec(2) := t; 
end if; 
end if ; 
when \«snd_ack) => 
ie (ine _system_state.machine2_state.pkt_rec\1)=t) then 
out _system_ state.GLOBAL VARIABLES.CONTROL(1) := al; 
out_system_state. machine2_ state. pkct_rec(1) s= f; 
out_system_state.machine2 state.in_buffer(1) := e; 
else 
if (in_system_state.machine2 state.pkt_rec(2)=t) then 
out_system_state. GLOBAL VARIABLES.CONTROL(2) := 
out_system_ state. machine2 state. pkt_rec(2) := £; 


out_system state. machine2_state. in_buffer (2) := e; 
end if; 
ena) 12; 
when (adv_winl) => 
Peet (in _system_ state.machinel state.ack rec(1)=t) and 


(in_ system stacer machinel _ _state.ack ~rec(2)=f) and 
(in _system_state.machinel state.hold = t) and 
(in_system_state. machinel state.current = 1) and 

(in _system_ state.GLOBAL _VARIABLES. DATA (1) E) ana 
(in _system_state.GLOBAL ~ VARIABLES. DATA (2) D2)) then 
out _system_state. machinel _state.ack rec(1l) :=£; 

out system state.machinel state.ack rec(2) :=£; 

Out Psy Scemistate. machinel _ Jstater hold :=€; 


out system state. machinel state.current :=2; 
out _system_state.GLOBAL _VARIABLES. DATACL) <= OL 
out system state.GLOBAL VARIABLES.DATA(2) := E; 


elsif 
((in_system_state.machinel state.ack_rec(1)=t) and 
(in, _system state- machinel state.ack rec(2)=f) and 


(ine system stace- machinel | ustate- hold = t) and 

(in Usystemisrace. machinel state.current = 1) and 

(in system _state.machine2_state.in_buffer(l) = E) and 
(in_system_state.machine2_state.in_buffer(2) = D2)eand 
fine DSystemistace. machine2_ state. pkt_ rec(l) = £) and 
(in, _system_ state. machine2 | State. pee ~rec(2) = t)) then 
out system state. machinel_ state.ack | _rec(1) :=€;7 

out system istate. machinel | _state.ack ~rec(2) :=f; 


out system state. machinel state.hold :=f; 

QUE -systemistate- machinel state.current :=2; 
out system stare. machine2 | _state.in buffer(1) ; 
out system state. machine2 state.in buffer (2) 
out_system_state. machine2_ Ustace- pkt_ pec(l) : 
out system state. machine2_ Jstatespkes “rec(2) : 

elsif 

((in_system_state.machinel state.ack rec(l)=t) and 

(in _system_state. machinel_ state.ack rec(2)=f) and 

(in, _System stare: machinel state.hold = t) and 

(in systemnustace- machinel state.current = 1) and 

(in_ _system_ state.GLOBAL _ VARIABLES .CONTROL (1) E) and 
(in, system stare: GLOBAL VARIABLES. CONTROL (2) = A2)) then 
QUE SYStem stace” machinel state.ack _rec(l). =a 

QUtC system istate: machinel | state. ack §5ec(2)ue-—ce 
out system state. machinel | _state. hold :=f; 

out _systemistate. machinel state.current :=2; 
out _ system state.GLOBAL _ VARIABLES.CONTROL(1) := Al; 


Die: 
E>; 


“wou 
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out _system_state.GLOBAL VARIABLES.CONTROL(2) := E; 
else 


if ((in_system_state.machinel_ state.ack rec(1l)=t) and 
(in_system_state.GLOBAL_VARIABLES.DATA(2)/=E)) then 


out _system_ state.machinel state.hold := t; 
elsif ((in _system_state. machinel_ state.ack rec(1)=t) 
(in system state. machinel state.ack rec (2) =f) 
(in® _system_state.GLOBAL__ VARIABLES .DATA (2) =E) ) 
out _system_state. machinel _state.ack_ rec(l1) 
elsif ((in_system_state.machinel_state.ack_rec(1) =f) 
(in” _system_ state. machinel _ _state. ack rec(2)=t) 


and 
and 
then 
sa £5 
and 
and 


(ine _system_state. machinel state.hold = t)) then 


out _system_state. machinel _state.ack rec(2) 


out system state.machinel state.hold := f; 


else 
if ((in_system_state.machinel_ state.ack_rec(1) =t) 
(ing _system_state. machinel state.ack rec(2) =t) 
(in, _system_state.GLOBAL | VARIABLES.DATA(1) =E) 
(in _system_state.GLOBAL VARIABLES.DATA (2) =E) ) 
out_system_state.machinel_state.hold := f; 
out_system_ state. machinel_ state.ack_rec(1) 
out system state.machinel_state.ack rec(2) 
end if; 
end if; 
out _system_state.machinel state.current := 1; 
end if; 
when others => 


:= £; 


and 
and 
and 
then 


18 
f 


Se Ye 


put_line(“There is an error in the Action procedure”); 


end case; 


end Action; 
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OUTPUT FORMAT 


separate (main) 
procedure output Gtuple(tuple : in out Gstate record type) is 
begin 
pu, (“ & integer’ image (tuple.machinel state.state number) ); 
put(“ ,”% & integer’ image (tuple.machine2_ state.state number)); 
PUECS, JG 
put (tuple.machinel_ state.out_buffer(1), width => 2); 
put ("7"); 
put (tuple.machinel state.out_buffer(2), width => 2); 
put c wee ; 
put (tuple. machinel_state.ack_rec(1),width=>1); 
PUC (So): 
put (tuple.machinel state.ack rec(2),width=>1); 
put (“,”); 
put (tuple.machinel_state.hold, width=>1); 
PuUCI 7 de 
put (tuple.machine2_state.in_buffer(1l), width => 2); 
PUG te), 
put (tuple.machine2 state.in_buffer(2), width => 2); 
put ("7 7] 
put (tuple.machine2 state.pkt_rec(1l),width=>1) ; 
putt], =); 
put (tuple.machine2 state.pkt_rec(2),width=>1); 
put (",”); 
put (tuple.GLOBAL. VARIABLES.DATA(1), width =>2); 
PUES eee 
put (tuple.GLOBAL VARIABLES.DATA(2), width =>2); 
PUCL Se 
put (tuple.GLOBAL VARIABLES. (CONTROL (1), width =>2); 
Puc 
put (tuple.GLOBAL _ ESTOS. CONTROL (2), width <=>2)7- 
puct=;-)- 
put (tuple.machinel_ state.current,width=>1); 
PUR Cl = an 
end output _Gtuple; 


separate (main) 
procedure output Gtuple co file(tuple : in out Gstate record type; 


counter : in out integer) is 
begin 
put (reach, counter); 
put (reach, ” [“ & integer’ image (tuple.machinel state.state_ number)); 


put (reach,”,” & integer’ image (tuple.machine2 state.state number) ); 
put (reach, ~72))- 
put (reach, tuple.machinel state.out buffer(1), width => 1); 
put (reach, 77.9. 
put (reach, tuple.machinel state.out buffer(2), width => 1); 
put (reach, 747 
Bee ae eee oe eee 
put (reach,”,7”); 
put (reach, tuple. machinel state. ack _rec(2), widths 1); 
put (reach, 7777, 
put (reach, tuple. machine2_ state.in buffer(1), width => 1); 
put (reach,".7)- 
put (reach, tuple.machine2_ state.in_buffer(2), width => 1); 
puc (reach, a) 2 
put (reach, tuple.machine2_ state.pkt rec(l),width=>1); 
put (reach, ~,4) 
put (reach, tuple.machine2 state.pkt_rec(2),width=>1); 
put (reach, >... 
put (reach, tuple.GLOBAL VARIABLES.DATA(1), width =>1); 
put (reach,” ]%”); 
new line (reach) ; 
end output Gtuple to file; 


separate (main) 
procedure output Gstate node(Gstate pointer : in out Glink type; 


Error flag : in out boolean) is 
begin 
output line count := output _ line count + 1; 
if (outputs line_count mod [0) = 0) then 


scroll pause; 
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end if; 
set_col(Gcolumn_set) ; 
put (Gstate pointer.system_state_ number, width => 3); 
output Gtuple(Gstate pointer.Gtuple); 
if ((Gstate pointer.link1l.Glink = null) and then (Gstate_ pointer.link2.Glink = null) 
and then 
(Gstate pointer.link3.Glink = null) and then (Gstate_pointer.link4.Glink = null)) 
then 
Error flag := true; 
else x 
Error flag :* false; 
end if; 
end output_Gstate_node; 
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